Why can't this tool inspect headers for all URLs?

Browser CORS policy prevents JavaScript from reading headers of cross-origin responses unless the server includes Access-Control-Allow-Origin. Use DevTools (F12 → Network) or curl -I for unrestricted access.

What is HSTS and why does it matter for security?

HTTP Strict Transport Security tells browsers to always use HTTPS for a domain, preventing protocol downgrade attacks and man-in-the-middle interception of initial HTTP connections.

What does Content-Security-Policy actually do?

CSP restricts which sources can supply scripts, styles, and resources for a page. It is the primary defense against XSS attacks. Without CSP, any injected script runs with full page context.

What is X-Content-Type-Options: nosniff?

It prevents browsers from MIME-type sniffing, ensuring content is treated as the declared Content-Type rather than what the browser guesses. This blocks attacks where malicious scripts are disguised as images.

What does X-Frame-Options protect against?

X-Frame-Options prevents your page from being loaded in an iframe on another site, blocking clickjacking attacks where users are tricked into clicking hidden UI elements.

What is the Referrer-Policy header?

Referrer-Policy controls how much referrer information is sent when users navigate from your site. Without it, full URLs with query parameters — potentially containing session tokens — are leaked to third-party sites.

How do I check response headers without CORS restrictions?

Use browser DevTools (F12 → Network tab → click a request → Headers). Or run curl -I https://example.com in a terminal, which makes a HEAD request without any CORS limitation.

HTTP Response Header Checker

Enter any URL to fetch and inspect its HTTP response headers, grouped by category with plain-English explanations. Receive an A–F security grade based on which critical security headers — HSTS, CSP, X-Frame-Options, and more — are present. Works with public APIs and CORS-enabled endpoints; honest about browser limitations for others. Once you have inspected a response, use the JSON Formatter to validate the body, or a regular expression tester to parse specific header values.

⚠

Browser security limits what headers this tool can retrieve. Due to CORS (Cross-Origin Resource Sharing), browsers only expose headers when the target server opts in. Public APIs (e.g. api.github.com) work well. Private sites or those without CORS headers will show a friendly error with instructions for inspecting headers via DevTools or curl.

URL to Inspect

Try:

Status:—

Response time:—

Headers found:—

Security grade:—

🔎

Enter a URL above and click Fetch Headers to inspect HTTP response headers.

How to Use the HTTP Header Checker

Enter the full URL of the endpoint you want to inspect (e.g. https://api.github.com).
Click Fetch Headers or press Enter — the tool makes a live GET request and collects the response headers.
View all headers in the All Headers tab, grouped into Content, Caching, Security, CORS, and Server categories with plain-English descriptions.
Switch to the Security Analysis tab to see which of the 6 critical security headers are present or missing, with an explanation of each.
The status bar shows the HTTP status code, response time, total header count, and an A–F security grade.
Click Copy All Headers to copy the full header list in key: value format.

Key Features

Live HTTP header fetch for CORS-enabled URLs
Headers grouped into Content, Caching, Security, CORS, and Server categories
Plain-English explanation for every known header
Security analysis for 6 critical headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
A–F security grade based on missing security headers
Response time measurement in milliseconds
Copy all headers to clipboard as plain text
Honest CORS limitation disclosure with DevTools and curl fallback instructions

Use Cases

Check security headers online before a site audit

Before conducting a security audit, use this tool to quickly identify which of the 6 key security headers are missing. A low grade (D or F) indicates significant hardening work ahead — CSP, HSTS, and X-Frame-Options are the highest-priority fixes.

Verify CORS headers for a public API endpoint

When building a front-end app that consumes a third-party API, paste the API base URL here to confirm which Access-Control-Allow-* headers the server returns and whether cross-origin requests will be permitted by the browser.

Inspect caching headers to debug CDN behaviour

Cache-Control, Expires, ETag, and Vary headers directly control how CDNs and browsers cache your responses. Viewing these values helps explain stale content issues, unexpected cache misses, and overly aggressive browser caching.

Confirm HSTS and Content-Security-Policy are deployed

After deploying security header changes to production, verify them instantly by entering your domain. The Security Analysis tab shows the exact header values so you can confirm max-age, includeSubDomains, and CSP directives are correct.

Inspect HTTP headers for API documentation

API writers can use this tool to capture the exact response headers a server returns and include them in documentation, helping consumers understand caching behavior, rate limit headers, and content negotiation options. If your docs are HTML-based, the HTML Beautifier helps keep the markup clean before publishing.

FAQ's

Browsers enforce the Same-Origin Policy, which prevents JavaScript from reading the response headers of cross-origin requests unless the server explicitly allows it with an Access-Control-Allow-Origin header. Public APIs are usually configured to allow this; regular websites are not. For unrestricted access, use DevTools (F12 → Network tab) or run curl -I <url> in a terminal.

HTTP Strict Transport Security (HSTS) tells browsers to always connect using HTTPS for a domain for a specified duration (max-age). Without HSTS, a user who types your domain without https:// makes an initial unencrypted request that an attacker on the same network could intercept and redirect to a malicious site before your server's HTTPS redirect fires.

CSP is a browser security feature that restricts which sources can supply scripts, styles, images, fonts, and frames for a page. A strict CSP is the primary defense against Cross-Site Scripting (XSS) — even if an attacker injects a script tag, the browser refuses to execute it if the source is not on the CSP allowlist. Without CSP, any injected script runs with full page context.

Without this header, some browsers try to "sniff" the actual content type by examining the response body, overriding the declared Content-Type. An attacker can exploit this to serve a malicious script disguised as an image. Setting nosniff forces the browser to respect the declared content type and refuse to execute mismatched content.

The grade reflects how many of 6 key security headers are present: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. 6 present = A, 5 = B, 4 = B, 3 = C, 2 = D, 1 = D, 0 = F. This is a quick presence indicator — the actual security depends on the specific values of each header, not just presence.

X-Frame-Options prevents your page from being loaded inside an <iframe> on another site. Without it, an attacker can embed your page invisibly over a malicious page and trick users into clicking your buttons — a technique called clickjacking. Set it to DENY or SAMEORIGIN to block this. Modern alternatives use the frame-ancestors CSP directive.

The Referrer-Policy controls how much referrer information is included in the Referer header when a user navigates from your page to another site. Without it, full URLs — including query parameters that may contain session tokens or sensitive search terms — are leaked. Recommended values are strict-origin-when-cross-origin or no-referrer.

Use browser DevTools: open F12, click the Network tab, reload the page, click the first request, and open the Headers section. Alternatively run curl -I https://example.com in a terminal — this makes a HEAD request and prints all response headers without any CORS restriction since it is not a browser request.

Security headers are one of the quickest wins in web security — they cost nothing to add and significantly raise the bar for common attacks. Yet many sites still score D or F because headers like Content-Security-Policy are never configured. Toolaroid's HTTP Header Viewer gives developers, security engineers, and site owners a fast way to audit any CORS-friendly endpoint and understand exactly what each header does in plain English. Pair it with the cURL Builder to craft custom test requests, or use it alongside DevTools for a complete picture of your site's HTTP security posture.