HTTP Header Checker - Inspect Response Headers

What are HTTP Headers?

HTTP headers are metadata sent between a client (such as a web browser) and a server during every HTTP request and response. They contain critical information about the request context, response status, caching rules, content type, security policies, and more. Response headers are returned by the server and tell the browser how to handle the content, how long to cache it, and what security measures to enforce.

Headers play a vital role in web performance, security, and functionality. For example, the Cache-Control header tells browsers how long to cache a resource, while Content-Type specifies the MIME type of the returned content. Understanding and properly configuring these headers is essential for any web administrator or developer.

Important Security Headers

Security headers protect your website and its users from common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks. Here are the most important ones:

Strict-Transport-Security (HSTS)

Forces browsers to always connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking. Once set, browsers will automatically convert all HTTP requests to HTTPS for the specified duration.

Content-Security-Policy (CSP)

Controls which resources (scripts, styles, images, etc.) can be loaded on your page. This is one of the most effective defenses against XSS attacks by preventing unauthorized script execution.

X-Content-Type-Options

Prevents browsers from MIME-sniffing a response away from the declared Content-Type. Set to nosniff to stop browsers from interpreting files as a different MIME type.

X-Frame-Options

Prevents your page from being embedded in iframes on other sites, protecting against clickjacking attacks. Common values are DENY and SAMEORIGIN.

X-XSS-Protection

Enables the browser's built-in XSS filter. While modern browsers have deprecated this in favor of CSP, it still provides a safety net for older browsers. Set to 1; mode=block.

Referrer-Policy

Controls how much referrer information is included with requests. Helps protect user privacy by limiting what URL information is shared when navigating away from your site.

How to Add Security Headers to Your Website

Adding security headers depends on your web server or hosting platform. Here are examples for the most common setups:

Apache (.htaccess)

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Content-Security-Policy "default-src 'self'"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Express.js (Node.js)

// Using the helmet middleware (recommended)
const helmet = require('helmet');
app.use(helmet());

// Or set headers manually
app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  next();
});

After adding security headers, use the HTTP Header Checker tool above to verify they are correctly configured. Aim for a perfect 6/6 security score to maximize your website's protection.

📨 HTTP Header Checker

Response from

🛡️ Security Headers Check

📋 All Response Headers