HTTP Header Checker

HTTP response headers are metadata sent by a web server alongside the requested content. They tell the browser how to handle the response — including caching rules, content type, security policies, compression settings, and redirect instructions. Headers are invisible to regular visitors but are essential for developers, security analysts, and system administrators diagnosing server behavior.

A security header audit checks whether a website sends the HTTP headers that instruct browsers to activate built-in security protections. The eight critical security headers are: Strict-Transport-Security (forces HTTPS), Content-Security-Policy (prevents XSS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy (controls data leakage), Permissions-Policy (restricts browser features), X-XSS-Protection (legacy XSS filter), and Access-Control-Allow-Origin (CORS). Missing headers leave users exposed to preventable attacks.

The security grade summarizes how many of the 8 critical security headers are present. A+ means all 8 are present. A means 7 of 8. B means 6 of 8. C means 5 of 8. D means 3 or 4 of 8. F means 2 or fewer. The grade reflects the breadth of browser-enforced security protections, not the overall security of the server itself.

A redirect chain occurs when a URL redirects to another URL, which in turn redirects again. Each hop adds latency and long chains significantly slow down page load times. They also dilute SEO link equity. Our tool shows every hop — the URL, status code, and headers returned at each step — so you can diagnose and eliminate unnecessary redirects.

Many web servers include a Server header that reveals the exact software and version — for example, "nginx/1.25.3" or "Apache/2.4.49 (Ubuntu) PHP/8.2.10". This helps attackers identify known CVEs for your exact version. Our tool flags these disclosures and recommends suppressing them. On Nginx, set server_tokens off in nginx.conf. On Apache, set ServerTokens Prod and ServerSignature Off.

The HTTP Header Checker automatically detects Cloudflare (via cf-ray and cf-cache-status headers), AWS CloudFront (via x-amz-cf-id and x-amz-cf-pop), Fastly (via x-served-by), Akamai (via x-akamai-transformed), and Varnish (via x-varnish). CDN detection is based on proprietary headers that each CDN injects into responses — if no CDN-specific headers are present, the tool reports no CDN detected.

HTTP/2 is the second major version of the HTTP protocol. Compared to HTTP/1.1, it supports multiplexing (multiple requests over a single connection), header compression, and server push — all of which reduce page load times. Our tool reports the protocol version negotiated for the final response. If your server is still serving HTTP/1.1, upgrading to HTTP/2 is a straightforward performance improvement available on all major web servers.