HTTP Header Checker: Inspect Server Response Headers
Every time your browser loads a web page, the server sends back more than just HTML. Before the first pixel renders, an invisible conversation happens through HTTP headers—metadata that tells your browser how to handle the content, whether to cache it, how secure the connection is, and what the server is running. In this hands-on tutorial, we will break down the most important HTTP response headers one by one, explain what they mean in practice, and show you how to use our HTTP header checker to inspect any website's headers instantly.
How to Check HTTP Headers: Three Methods
Before analyzing individual headers, let us cover how to access them:
Method 1: Browser Developer Tools
1. Open Chrome, Firefox, or Edge 2. Press F12 (or Cmd+Option+I on Mac) 3. Go to the Network tab 4. Refresh the page (F5) 5. Click the first request (usually the HTML document) 6. Scroll to the "Response Headers" section
Method 2: Command Line with curl
curl -I https://example.com # This returns only the headers (the -I flag sends a HEAD request) # For full response including body: curl -s -D - https://example.com -o /dev/null
Method 3: Online HTTP Header Checker
The easiest method. Paste any URL into our HTTP header checker and get a clean, formatted display of all response headers. No command line knowledge required.
Inspect Any Website's HTTP Headers
Paste a URL, see all response headers instantly. Free, no signup required.
Check Headers →Content Headers: What the Server Is Sending
This is one of the most important headers. It tells the browser how to interpret the response. Common values include text/html for web pages, application/json for API responses, image/png for images, and application/pdf for PDFs.
The charset parameter specifies text encoding. UTF-8 is the standard for web content and supports all languages and emoji.
Security note: If Content-Type is missing or incorrect, browsers may "sniff" the content type, which can lead to XSS vulnerabilities. Always set this header explicitly.
This header allows the browser to display download progress and determine when a transfer is complete. For chunked transfer encoding, this header is omitted and Transfer-Encoding: chunked is used instead.
Compression reduces transfer sizes by 60-80% for text-based content. Common values: gzip (most compatible), br (Brotli, best compression ratio), deflate (older, less efficient). Most modern servers negotiate compression automatically based on the client's Accept-Encoding request header.
Caching Headers: Controlling How Content Is Stored
Cache-Control is the most powerful caching header. Key directives include:
max-age=3600— Cache for 3600 seconds (1 hour)no-cache— Cache but always revalidate before useno-store— Do not cache at all (for sensitive data)public— Any cache (browser, CDN, proxy) can store thisprivate— Only the user's browser should cache thismust-revalidate— Must check freshness after expiry
ETags enable conditional requests. When a cached resource expires, the browser sends If-None-Match with the ETag value. If the content has not changed, the server responds with 304 Not Modified—saving bandwidth by skipping the response body entirely.
Expires is superseded by Cache-Control but still widely used for backward compatibility. When both are present, Cache-Control takes priority. Most modern applications should use Cache-Control exclusively.
Server Headers: Information About the Infrastructure
This header reveals what web server is running (nginx, Apache, LiteSpeed, etc.) and often includes the version number.
Security recommendation: Hide or minimize this header. Version information helps attackers identify known vulnerabilities. In nginx, use server_tokens off;. In Apache, set ServerTokens Prod.
This header is added by many frameworks (Express, PHP, ASP.NET) by default. Like the Server header, it reveals technology details that can aid attackers.
Security recommendation: Remove this header entirely. In Express.js: app.disable('x-powered-by'). In PHP: set expose_php = Off in php.ini.
Security Headers: Your First Line of Defense
Security headers instruct browsers to enable built-in protections. These headers cost nothing to implement and can prevent entire categories of attacks. Here is your complete security header configuration guide:
🔒 Strict-Transport-Security
Forces HTTPS connections. Prevents protocol downgrade attacks and cookie hijacking.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age in seconds (1 year = 31536000). includeSubDomains applies to all subdomains. preload submits to browser HSTS preload lists.
🛡️ Content-Security-Policy
Controls which resources the browser is allowed to load. Prevents XSS by restricting script sources.
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com
Start with Report-Only mode to test without breaking your site, then enforce after validation.
🖼️ X-Content-Type-Options
Prevents MIME type sniffing. Forces browsers to respect the declared Content-Type.
X-Content-Type-Options: nosniff
Simple but effective. Prevents browsers from executing files uploaded as images if they contain HTML.
🪟 X-Frame-Options
Controls whether your site can be embedded in iframes. Prevents clickjacking attacks.
X-Frame-Options: DENY
Use DENY to block all framing, or SAMEORIGIN to allow framing from your own domain only.
🔗 Referrer-Policy
Controls how much referrer information is sent when users click links.
Referrer-Policy: strict-origin-when-cross-origin
This is the recommended default—sends full referrer for same-origin requests but only the origin for cross-origin.
⚙️ Permissions-Policy
Controls which browser features (camera, microphone, geolocation) the page can use.
Permissions-Policy: camera=(), microphone=(), geolocation=()
Deny features your site does not need. Reduces the attack surface for malicious scripts.
Implementing Security Headers in Nginx
Here is a complete nginx configuration block for all recommended security headers:
# /etc/nginx/conf.d/security-headers.conf # HSTS - Force HTTPS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Prevent MIME sniffing add_header X-Content-Type-Options "nosniff" always; # Prevent clickjacking add_header X-Frame-Options "DENY" always; # Control referrer information add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Control browser feature access add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always; # Content Security Policy (start with report-only) # add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'" always; # Hide server version server_tokens off;
Pro tip: Use the always parameter to ensure headers are sent on all response codes, including error pages. Without it, headers may be missing on 404 or 500 responses.
Implementing Security Headers in Apache
# .htaccess or virtual host configuration <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "DENY" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Header unset X-Powered-By </IfModule> ServerTokens Prod ServerSignature Off
Scoring Your Headers: What to Look For
When you inspect a website's headers using our checker, look for these indicators of a well-configured server:
| Check | Good | Bad |
|---|---|---|
| HSTS present | max-age ≥ 6 months | Missing or max-age < 300 |
| Content-Type | Explicit with charset | Missing charset |
| X-Content-Type-Options | nosniff | Missing |
| X-Frame-Options | DENY or SAMEORIGIN | Missing or ALLOWALL |
| Server info | Minimal or hidden | Full version exposed |
| X-Powered-By | Missing (removed) | Present (tech exposed) |
| Cache-Control | Appropriate for content type | Missing (uses defaults) |
Frequently Asked Questions
HTTP response headers are metadata sent by a web server alongside the actual page content. They communicate information about the server, the content type, caching policies, security settings, and more. Headers are not displayed on the page itself but are visible to browsers, CDNs, and any tool that inspects HTTP traffic.
You can check HTTP headers using browser developer tools (F12 → Network tab → click a request → Headers), the curl command line tool (curl -I https://example.com), or an online HTTP header checker like Risetop's tool, which provides a clean, formatted view of all response headers.
Every website should have: Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy to control resource loading, X-Content-Type-Options to prevent MIME sniffing, X-Frame-Options to prevent clickjacking, Referrer-Policy to control referrer information, and Permissions-Policy to limit browser features.
The Content-Type header tells the browser what kind of content is being served (e.g., text/html for web pages, application/json for APIs, image/png for images). It also specifies the character encoding. Incorrect Content-Type headers can cause browsers to mishandle content or create security vulnerabilities.
Cache-Control is the modern standard (HTTP/1.1) that provides granular control over caching with directives like max-age, no-cache, no-store, and must-revalidate. Expires is an older header (HTTP/1.0) that simply sets a date after which the content is considered stale. When both are present, Cache-Control takes priority.