HTTP Header Checker

See exactly what HTTP response headers a URL returns. Enter an address and this tool fetches it live from our server and shows the status code, the full redirect chain and every response header the server sent — content type, caching, compression, cookies, security headers and more. It is the fastest way to see what a browser sees before the page even renders.

We fetch the URL live from our server (not your browser), follow redirects and read only the response headers. Nothing is stored.

How to use the HTTP Header Checker

Enter a URL and press Check headers. The tool requests the page from our server, follows any redirects, and reports:

  • The final HTTP status code and how many redirects were followed to reach it.
  • Every response header the server returned, name and value, in the order it sent them.
  • A one-click copy of the entire header block, ready to paste into a ticket or a bug report.

You can paste a bare host (example.com) or a full URL with a path. If you omit the scheme the tool defaults to https://. Only HTTP and HTTPS on ports 80 and 443 are fetched.

What HTTP response headers are

Every time a server answers a request it sends a block of HTTP headers before the page body. These headers are metadata: they tell the browser what the content is, how long to cache it, whether the connection must stay on HTTPS, what cookies to set, and which security rules to enforce. The body is what you see; the headers are the instructions for how to handle it.

Reading them directly is useful because so much behaviour is controlled here rather than in the visible HTML:

  • Content-Type decides whether the browser renders, downloads or sniffs the response, and which character set it uses.
  • Cache-Control, ETag and Expires govern whether a resource is reused from cache or re-fetched, which is the single biggest lever on repeat-visit speed.
  • Content-Encoding shows whether gzip or Brotli compression is active.
  • Strict-Transport-Security, Content-Security-Policy, X-Frame-Options and friends are the security posture of the response.
  • Server and X-Powered-By reveal (or, ideally, hide) the software stack.
  • Location drives redirects, and Set-Cookie drives sessions.

Because a browser applies all of this silently, a misconfigured header often explains a bug that the page source cannot — a resource that will not cache, a download that opens as text, a redirect loop, or a security warning. Seeing the raw headers is how you diagnose it.

Common use cases

  • Debugging caching — confirm whether an asset sends a long Cache-Control or is being needlessly re-fetched on every visit.
  • Verifying a deploy — check that a new header (CSP, HSTS, a custom header) actually shipped to production.
  • Diagnosing redirects — see the exact chain and final status when a URL behaves unexpectedly.
  • Security review — read the security headers a site sends in one place before a deeper audit.
  • API and webhook work — inspect content type, CORS and rate-limit headers an endpoint returns.

Request headers vs response headers

HTTP headers travel in both directions, and it helps to keep them straight:

  • Request headers are sent by the client (the browser or this tool) — things like Accept, User-Agent, Accept-Encoding and Cookie. They describe what the client wants and can handle.
  • Response headers are sent back by the server — Content-Type, Cache-Control, Set-Cookie, Strict-Transport-Security and the rest. They describe the answer and how to treat it.

This tool shows the response headers, because that is where a server's configuration is visible. It sends a normal browser-like Accept and advertises gzip, deflate and Brotli, so the response reflects what a real visitor would receive.

Frequently asked questions

How do I check the HTTP headers of a website?
Enter the URL above and press Check headers. The tool fetches the page from our server, follows redirects, and lists every response header with its value plus the final status code.

Why are the headers read from your server and not my browser?
Browsers block JavaScript from reading the raw response headers of other sites for security (CORS). Fetching server-side is the only way to show you the complete header block. We request the URL live, read the response, and store nothing.

What is the difference between request and response headers?
Request headers are sent by the client to describe what it wants (Accept, User-Agent, Cookie). Response headers are sent back by the server to describe the answer (Content-Type, Cache-Control, Set-Cookie). This tool shows the response headers.

Can I check headers behind a login or on a specific path?
You can check any public URL including deep paths. The tool cannot send your cookies or credentials, so pages that require a login will return the headers of the login or redirect response, not the authenticated page.

Which security headers should I look for?
The key ones are Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Use the Security Headers Checker for a scored view of these specifically.

Does this store the URLs I check?
No. Each request runs live against the URL and nothing is logged or saved.