App StoreApp Store
Google PlayGoogle Play
Temp Mail Logo

Temp Mail safeguards your privacy while keeping your inbox free from spam.

📋 Response Headers · Cache · Security · Cookies · CORS

HTTP Headers Checker

Free HTTP response headers viewer. Enter any URL to instantly see all its response headers — content type, cache-control, security headers, cookies, CORS policy, and more — colour-coded by category with descriptions.

✓ All response headers✓ Colour-coded categories✓ Security audit✓ Filter & search✓ No signup
HTTP Response Headers Viewer
Try:
📋
Enter a URL to view its HTTP response headers
What this tool does

Free HTTP headers checker — view and analyse all response headers for any URL

How HTTP headers work, what the categories mean, and why headers matter for security and performance

This HTTP headers checker fetches the specified URL from our server (so there are no browser CORS restrictions) and returns every response header sent by the web server. Headers are colour-coded into categories — Security, Caching, Content, CDN, Server, Cookies, and CORS — so you can quickly find what you're looking for. A built-in security audit instantly flags any of the six key security headers that are missing.

HTTP headers are the invisible layer of every web request. They tell browsers how to cache resources, which security policies to enforce, what content type is being served, which cookies to store, and whether CORS requests are allowed. Misconfigured headers are one of the most common sources of both security vulnerabilities and performance problems. This tool gives you a complete, readable view of all headers in one place.

Common use cases: verifying security headers after server configuration changes, debugging cache behaviour by checking Cache-Control and ETag, checking cookie security flags, investigating CDN behaviour via Cloudflare or Fastly headers, or simply understanding why a page is loading slowly due to missing or incorrect cache headers.

Features and capabilities
All Response Headers
Every header the server returns — not just the well-known ones. Scroll the full list to find custom or CDN-specific headers.
Security Audit
Instantly flags the 6 most important missing security headers with a banner showing exactly which ones to add.
Colour-Coded Categories
Headers grouped and colour-coded by type: Security (green), Caching (purple), CDN (amber), Server (orange), Cookies (teal).
Real-Time Filter
Type in the filter box to search headers by name or value — useful on response-heavy APIs with 40+ headers.
Security-Only Tab
One-click tab to show only security-relevant headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
Status Code Display
HTTP status code shown prominently in colour: green for 2xx success, amber for 3xx redirect, red for 4xx/5xx errors.
Server-Side Fetch
Requests are made from our server, not your browser — bypasses CORS and shows headers exactly as a crawler would see them.
Header Descriptions
Inline descriptions explain what each header does so you don't need to open MDN docs for every unfamiliar header name.
No Signup Required
Paste any URL and click Check Headers — no account, no API key, no rate limit on standard use.
Examples

HTTP header examples — cache headers, security headers, and common server responses

Real HTTP response header examples with explanations of what each value means
Cache HeadersWell-configured caching — immutable static assets
HTTP/2 200 OK cache-control: public, max-age=31536000, immutable etag: "6f3d-abc123" last-modified: Mon, 01 Jan 2024 00:00:00 GMT vary: Accept-Encoding content-type: application/javascript; charset=utf-8 content-encoding: br

This is the ideal response for a static asset like a hashed JS or CSS file. max-age=31536000 caches it for a year, immutable tells the browser not to even try revalidating it, and brotli (br) compression is used. The ETag enables conditional requests for future revalidation if the cache-control ever expires.

Security HeadersComplete security header set — A+ configuration
strict-transport-security: max-age=63072000; includeSubDomains; preload content-security-policy: default-src 'self'; script-src 'self' x-frame-options: DENY x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin permissions-policy: camera=(), microphone=(), geolocation=()

A complete security header set. HSTS forces HTTPS for 2 years including subdomains. CSP restricts script sources. X-Frame-Options prevents clickjacking. nosniff stops MIME sniffing. Referrer-Policy limits URL leakage. Permissions-Policy blocks browser features not needed. This configuration earns an A+ grade in security scanners.

Server Info LeakServer and X-Powered-By headers revealing sensitive version info
❌ server: Apache/2.4.51 (Ubuntu) ❌ x-powered-by: PHP/8.1.12 Fix for Apache (.htaccess or httpd.conf): ServerTokens Prod # Hides version Header unset X-Powered-By Fix for PHP (php.ini): expose_php = Off

Exposing server software and versions lets attackers know exactly which CVEs to target. Apache/2.4.51, PHP/8.1.12 — both have known vulnerabilities. Set ServerTokens Prod in Apache to only show "Apache", and disable expose_php in PHP. Nginx uses server_tokens off. This is a quick win that takes 2 minutes and immediately reduces your attack surface.

FAQ

Frequently asked questions about HTTP response headers

What are HTTP response headers?
HTTP response headers are metadata sent by the web server alongside the actual page content. They tell the browser how to handle the response — what content type it is, how long to cache it, what security policies to enforce, whether to allow CORS requests, and much more. Every HTTP response has headers, but they're invisible in normal browsing. Tools like this one make them visible so developers and security researchers can inspect and debug them.
What is the Content-Type header?
The Content-Type header tells the browser what kind of data the response contains — for example text/html for a webpage, application/json for API responses, or image/png for PNG images. It also typically includes the character encoding: Content-Type: text/html; charset=utf-8. Without a correct Content-Type header, browsers may guess incorrectly (MIME sniffing), which is a security risk. The X-Content-Type-Options: nosniff security header prevents this guessing.
What does Cache-Control mean?
Cache-Control is a set of directives that control how long browsers and proxy caches keep a copy of the response. Common values include: no-cache (must revalidate before using cache), no-store (never cache — use for sensitive data), max-age=3600 (cache for 3600 seconds), public (can be cached by shared proxies), and private (browser cache only, not shared proxies). Proper cache headers dramatically improve page load speed by avoiding unnecessary server round-trips.
What is the Server header and is it a security risk?
The Server header identifies the web server software, often including its version — for example Server: nginx/1.21.6 or Server: Apache/2.4.51. This is a minor security risk because it tells attackers which software to target with known vulnerabilities. Best practice is to remove or obfuscate the Server header. Similarly, X-Powered-By (which reveals PHP, ASP.NET, or Express versions) should be removed. In Nginx, set server_tokens off; to hide version numbers.
What is ETag and how does conditional caching work?
An ETag (Entity Tag) is a unique identifier the server assigns to a specific version of a resource. When a browser re-requests a cached resource, it sends the ETag back in an If-None-Match header. If the resource hasn't changed, the server responds with 304 Not Modified (no body) — saving bandwidth. If the resource has changed, the server sends the new version with a new ETag. ETags work alongside Last-Modified / If-Modified-Since for conditional GET requests.
What does the Set-Cookie header show?
Set-Cookie instructs the browser to store a cookie. Each cookie can have attributes: Secure (only send over HTTPS), HttpOnly (JavaScript cannot access it — prevents XSS theft), SameSite=Strict|Lax|None (CSRF protection), Max-Age or Expires (expiry), Path, and Domain. All session and authentication cookies should have Secure, HttpOnly, and SameSite=Lax or Strict. Missing these flags is a common security vulnerability that this tool highlights.
What is CORS and what does Access-Control-Allow-Origin mean?
CORS (Cross-Origin Resource Sharing) is a security mechanism that controls which external websites can make API requests to your domain. The Access-Control-Allow-Origin header specifies allowed origins: * means any website can call your API (dangerous for APIs with authentication), a specific origin like https://app.example.com restricts it to that domain. If this header is missing on an API, browsers will block cross-origin requests by default. Misconfigured CORS (e.g. Access-Control-Allow-Origin: * on an authenticated API) is a serious security vulnerability.
What is the Via header?
The Via header lists the intermediate proxies and gateways a request or response has passed through. Each hop appends its identifier. For example: Via: 1.1 varnish, 1.1 cloudflare means the request passed through a Varnish cache and then Cloudflare's network. This is useful for debugging CDN configurations and verifying that traffic is routing through expected intermediaries.
Related Tools

Need a disposable email address?Get a free instant throwaway email — no signup, no trace.

Get Free Temp Mail →