</>
ProtocolCodes

HTTP Header Checker

Inspect HTTP response headers and status codes from any URL. Analyze security headers, caching directives, and server information.

How to Use

  1. 1
    Enter a URL to inspect

    Paste any public URL into the input field. The tool fetches the live HTTP response headers and status code directly from the server.

  2. 2
    Review the response headers

    Examine headers such as Content-Type, Cache-Control, X-Frame-Options, and Strict-Transport-Security. Each header is displayed with its raw value for precise debugging.

  3. 3
    Identify misconfigurations

    Look for missing security headers, incorrect cache directives, or unexpected status codes that may indicate redirects, authentication issues, or server errors.

About

HTTP response headers are the metadata envelope that accompanies every server response, governing caching behavior, security policies, content negotiation, and connection management. Defined primarily in RFC 9110 (HTTP Semantics) and RFC 9111 (HTTP Caching), headers allow servers and clients to negotiate capabilities without modifying the response body itself. Understanding headers is essential for debugging production issues, optimizing CDN performance, and hardening application security.

The HTTP Header Checker fetches live headers from any public URL and presents them in a structured, human-readable format. Security headers like Strict-Transport-Security (RFC 6797), Content-Security-Policy (W3C), and Permissions-Policy are highlighted alongside caching directives such as Cache-Control and ETag. The tool also surfaces the HTTP status code, protocol version, and timing metadata so you can diagnose problems without leaving the browser.

Common use cases include verifying CORS configuration before deploying a frontend, confirming that HSTS preloading is correctly set (max-age ≥ 31536000; includeSubDomains; preload), and checking that API responses carry the correct Content-Type (application/json rather than text/html). For teams maintaining SLAs, routine header audits catch misconfigurations — such as a missing Cache-Control: no-store on sensitive endpoints — before they reach production users.

FAQ

Why do I get a different status code in the checker than in my browser?
Browsers follow redirects automatically and send cookies, session tokens, and Accept headers that alter server behavior. The header checker makes a bare HTTP request without browser-specific headers, so intermediate 301/302 redirects or cookie-gated responses become visible. Use the Redirect Tracer tool to see the full hop-by-hop chain your browser actually follows.
What does the Vary header mean in HTTP responses?
The Vary header (defined in RFC 7231 §7.1.4) instructs caches which request headers affect the response content. For example, Vary: Accept-Encoding tells CDNs and proxies to store separate cache entries for compressed and uncompressed versions. A poorly configured Vary: * header disables all caching entirely, which can severely impact site performance.
How can I tell if a site uses HTTP/2 or HTTP/3?
Look for the :status pseudo-header in HTTP/2 responses or the Alt-Svc header advertising h3 support for HTTP/3 (QUIC). RFC 9114 defines HTTP/3, while RFC 9113 governs HTTP/2. Many servers also return a Server or Via header that hints at the protocol version in use.
Why does my API return 200 OK even on errors?
This is a common anti-pattern where applications return HTTP 200 with an error body like {"success": false}. RFC 9110 §15 defines status codes as the machine-readable signal for outcome; returning 200 for errors defeats HTTP semantics and breaks monitoring tools, load balancers, and API clients that rely on status codes. Return 4xx for client errors and 5xx for server faults.
What security headers should every production site include?
RFC 9110 and OWASP recommend at minimum: Strict-Transport-Security (HSTS, RFC 6797) to enforce HTTPS, Content-Security-Policy to prevent XSS, X-Content-Type-Options: nosniff to block MIME sniffing, X-Frame-Options or frame-ancestors CSP to prevent clickjacking, and Referrer-Policy to control information leakage. Missing any of these is flagged by browser DevTools and security scanners as a vulnerability.