Skip to content
DevUtil

HTTP Headers Inspector - View Headers & Security

About the HTTP Headers Inspector

HTTP response headers control how browsers cache content, enforce security policies, and handle connections. This tool fetches any public URL and displays all response headers in a clean, categorised table with a one-click copy button for each value.

The built-in security audit checks for six critical headers that protect against common web vulnerabilities. Missing headers are flagged so you can quickly identify gaps in your security configuration.

How to Use

Enter a URL (with or without protocol) and click Inspect. The tool fetches the page through a server-side proxy, collects the response headers, and displays them grouped by category. The security audit panel on the right shows which key security headers are present or missing.

Use Cases

  • Security audits. Check whether a site sends HSTS, CSP, and other security headers.
  • Caching troubleshooting. Verify Cache-Control, ETag, and Vary headers are set correctly.
  • Server fingerprinting. Identify the web server, CDN, and technology stack from response headers.
  • API debugging. Inspect content type, encoding, and CORS headers for API endpoints.

Related Tools

Theme & Technology Detector

Detect the CMS, framework, analytics, and hosting behind any website.

Redirect Checker

Trace the full redirect chain for any URL with status codes and timing.

Frequently Asked Questions

What HTTP headers does this tool show?
The tool shows all HTTP response headers returned by the server, grouped into five categories: Security (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy), Caching (Cache-Control, ETag, Expires, Last-Modified), Content (Content-Type, Content-Length, Content-Encoding), Server (Server, X-Powered-By, Via), and Other (any remaining headers).
What is the security audit checklist?
The security audit checks whether the server sends six important security headers: Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy (CSP) to control resource loading, X-Content-Type-Options to prevent MIME sniffing, X-Frame-Options to block clickjacking, Referrer-Policy to control referrer leakage, and Permissions-Policy to restrict browser features. A green tick means the header is present; a red cross means it is missing.
Does this tool follow redirects?
Yes. The tool follows redirects automatically and shows the headers from the final response. If you want to inspect the redirect chain itself, including intermediate headers and status codes, use the Redirect Checker tool instead.
Is any data stored?
No. The server fetches the URL you provide, reads the response headers, and returns them to your browser. No URLs, headers, or results are logged or stored.