HTTP Headers Checker — Inspect Response Headers

Several HTTP headers are considered essential for modern websites. Content-Type declares the MIME type and character encoding (e.g., "text/html; charset=UTF-8") — without it, browsers may misinterpret content. Cache-Control directs how browsers and CDNs should cache the response; for static assets, a long max-age is ideal, while for dynamic pages, "no-cache" is appropriate. The X-Content-Type-Options: nosniff header prevents browsers from MIME-sniffing a response away from the declared content type. Strict-Transport-Security (HSTS) forces future requests to use HTTPS even if the user types http://. Content-Security-Policy (CSP) restricts which resources (scripts, images, iframes) the browser can load, preventing XSS attacks. Use this HTTP Headers Checker to verify all these headers are present and correctly configured on your server.

Caching headers have a direct impact on page load speed and server load. Cache-Control is the primary caching directive — common values include "public, max-age=31536000" for immutable static assets, "no-cache" to require revalidation before serving from cache, and "no-store" to prevent caching entirely for sensitive pages. The ETag header is a hash of the resource content; browsers can use it to check if the cached version is still valid without re-downloading the full resource. Last-Modified works similarly using timestamps. The Vary header tells caches to store separate versions based on certain request headers. Reviewing these headers with this tool helps diagnose slow page loads caused by missing or misconfigured caching directives.

Security headers are increasingly important as web attacks grow more sophisticated. The X-Frame-Options header (with value DENY or SAMEORIGIN) prevents your pages from being embedded in iframes on malicious sites, protecting against clickjacking. Referrer-Policy controls how much referrer information is included with requests — "strict-origin-when-cross-origin" is a sensible default that prevents leaking full URLs to third parties. Permissions-Policy restricts which browser features like camera, microphone, and geolocation the page can access. Cross-Origin-Resource-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) are needed to enable modern browser isolation features. Running your site through this checker reveals which security headers are missing so you can add them to your server or CDN configuration.

HTTP status codes communicate the outcome of a request. 200 OK means success. 301 Moved Permanently is the correct code for permanent SEO-safe redirects (Google passes link equity). 302 Found is a temporary redirect that does not pass full link equity. 307 Temporary Redirect preserves the HTTP method. 404 Not Found means the resource does not exist. 500 Internal Server Error indicates a server-side problem. Redirect chains add latency and dilute SEO value; best practice is to redirect directly from the original URL to the final destination. Use this tool to check the status code and Location header for redirect targets, verifying that redirects are the correct type and lead directly to the final URL.

Cross-Origin Resource Sharing (CORS) headers control which external origins can make JavaScript requests to your server. The Access-Control-Allow-Origin header specifies allowed origins — using "*" allows any origin (suitable for public CDN assets), while specific domains restrict access for API endpoints. Access-Control-Allow-Methods lists permitted HTTP methods. Access-Control-Allow-Headers specifies which request headers are permitted. If your API is returning CORS errors in browser console, checking the response headers with this tool immediately shows whether the CORS headers are present, incorrectly configured, or missing entirely — far faster than debugging through browser DevTools alone.