View every HTTP response header for any URL — status codes, security score, caching, CDN detection, redirects and more.
Every HTTP response contains two parts: the body (HTML, JSON, images, or files) and the headers — invisible key-value metadata sent before the body. Headers control caching, content type, compression, security policies, redirect destinations and more. Without inspecting headers directly, you cannot fully understand how a server behaves. Use our SSL Checker alongside this tool to verify your complete HTTPS configuration in one workflow.
The tool checks seven security-critical response headers and awards a grade from A (80%+ present) down to F (under 20%). Strict-Transport-Security (HSTS) forces browsers to use HTTPS exclusively. Content-Security-Policy (CSP) prevents cross-site scripting. X-Frame-Options blocks clickjacking. X-Content-Type-Options: nosniff stops MIME confusion attacks. Referrer-Policy prevents sensitive path leakage. Permissions-Policy restricts browser API access. X-XSS-Protection provides legacy filter fallback for older browsers. Enable HSTS only after confirming a valid certificate with our SSL Checker.
A HEAD request asks the server for headers only — no response body is returned. It is faster and uses less bandwidth, making it ideal for checking headers without downloading a full page. Switch to GET only if a server returns unexpected results with HEAD, or if you need to inspect content-negotiation headers that vary with the body. To test whether a port is open before sending requests, use our Port Checker.
Status codes in the 2xx range signal success — 200 OK is the standard response. Codes in the 3xx range are redirects — 301 is permanent and passes SEO value, 302 is temporary and does not. Codes in the 4xx range are client errors: 404 means not found, 403 means access is forbidden. Codes in the 5xx range are server errors: 500 is a generic internal error, 503 means temporarily unavailable. When a redirect is detected, click the destination to check that URL too. Use our WHOIS Lookup to verify ownership of any redirect target domain.
In Apache, add them to your .htaccess file using Header always set directives. In Nginx, use add_header inside your server or location blocks. On Cloudflare, use Transform Rules to inject headers at the edge. After any change, re-run this checker to confirm, then verify your SSL configuration with our SSL Checker and DNS propagation with our DNS Lookup.
Cache-Control is the primary caching directive. Values like max-age=3600 allow caching for one hour; no-store prevents it entirely. ETag provides a resource fingerprint for conditional requests, allowing browsers to receive a lightweight 304 Not Modified if nothing changed. Last-Modified serves the same purpose using timestamps. Use our ASN Lookup to identify which CDN or network operator is serving a domain, which often explains unexpected caching behaviour.
When Cloudflare proxies a domain, every response includes a CF-Ray header — this tool detects it automatically and displays "Cloudflare" in the CDN field. Other CDNs identify themselves via the Via header. For deeper routing analysis, use our ASN Lookup to identify the hosting network, and our Reverse DNS tool to check the PTR record of any server IP.
Yes — enter any fully qualified URL including subdomains, paths, query strings and non-standard ports (e.g. api.example.com:8443/health). If a connection fails, confirm port accessibility with our Port Checker, basic reachability with our Ping Test, and domain resolution with our DNS Lookup.
Yes — completely free with no account required and no data stored. Requests are made from our server, so results reflect what the public internet sees, independent of your local network. Combine this tool with our SSL Checker, DNS Lookup, WHOIS Lookup, Port Checker, Ping Test, Reverse DNS and ASN Lookup for a complete domain health audit — all free.
Convixy provides a full suite of free network utilities alongside the HTTP Headers Checker: