Enter any URL — https:// will be prepended if missing
The HTTP Headers Checker fetches the HTTP response headers for any URL. HTTP headers are metadata sent by the server with every response — they control caching, security, content type, redirects, and much more.
Security headers are instructions from the server to the browser that harden your site against common attacks. Missing headers are a frequent source of web application vulnerabilities.
Content-Security-Policy
Prevents XSS and data injection attacks by controlling resource loading.
Strict-Transport-Security
Forces HTTPS connections (HSTS). Prevents protocol downgrade attacks.
X-Content-Type-Options
Prevents MIME-type sniffing. Should be set to "nosniff".
X-Frame-Options
Prevents clickjacking by controlling whether the page can be embedded in iframes.
Permissions-Policy
Controls access to browser APIs like camera, microphone, and geolocation.