ToolBelt

HTTP Header Inspector

Fetch any URL and review its response headers + security headers.

Open tool

Overview

The HTTP header inspector fetches any public URL and lays out every response header it returns: status, cache-control, content-type, security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy), CORS headers, and the rest. Each one is annotated with a short note on what it means and whether it follows current best practice.

Web developers auditing a launch, security engineers running a pre-flight check, and SEO consultants verifying the server's response to bots all need a fast HTTP response header viewer. Long-tail keywords covered: inspect security headers of a URL, check Content-Security-Policy online, and view all HTTP response headers for a website.

How it works

The tool issues a single GET request to the URL through a server-side HTTP client with a short timeout, no cookie jar, and a fixed User-Agent. The response status line, all headers, and the response body size are captured; the body itself is discarded. Redirects can be followed or shown as the raw Location: header to inspect each hop.

The interesting headers are grouped: caching (Cache-Control, ETag, Last-Modified), security (Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options), CORS (Access-Control-Allow-Origin, Access-Control-Allow-Credentials), and content (Content-Type, Content-Encoding, Content-Length). Anything else is shown verbatim in an "Other" group.

Examples

  • A static site with Cache-Control: public, max-age=31536000, immutable and Strict-Transport-Security: max-age=31536000; includeSubDomains; preload is well configured.
  • A response missing X-Content-Type-Options: nosniff is flagged because IE/Edge may MIME-sniff and elevate text to script.
  • Server: Apache/2.4.41 reveals more than necessary; modern best practice is to suppress the version banner.
  • Set-Cookie: session=abc; Secure; HttpOnly; SameSite=Strict is the recommended cookie hardening.

FAQ

Does the tool follow redirects?

By default it follows up to 10 hops and reports each one. You can also choose to stop at the first response to inspect a redirect's headers in isolation.

Why do my headers differ when viewed in a browser?

Browsers send cookies, an Accept-Language header, and a real User-Agent. Some sites vary the response on these. The inspector uses a neutral profile to give a baseline view.

Can it inspect authenticated endpoints?

No. The tool only issues anonymous requests. Anything behind a login will return the public response (often a redirect to a sign-in page).

Is the URL stored or logged?

The fetch goes through a shared outbound HTTP client with rate limits and basic safety guards. Requests are not retained beyond the immediate response.

Try HTTP Header Inspector

An unhandled error has occurred. Reload ×