Vantaj
All tools
Free Tool

HTTP Header Checker

Enter any URL to inspect its HTTP response headers. Check security headers, caching configuration, CORS policy, and server information.

Why security headers matter

HTTP security headers are your first line of defense against common web attacks. They instruct the browser to enforce security policies before any page content loads. Without them, your site is vulnerable to cross-site scripting (XSS), clickjacking, protocol downgrade attacks, and MIME type confusion.

OWASP lists missing security headers as a common misconfiguration in their Top 10. The fix takes minutes: add a few lines to your web server or CDN configuration. The protection lasts as long as the headers are present.

The most impactful headers to add, in order of priority: Strict-Transport-Security (prevents HTTP downgrade), Content-Security-Policy (prevents XSS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), and Referrer-Policy (controls information leakage).

Caching headers explained

Cache-Control is the primary caching header. It tells browsers and CDNs how long to store a response before requesting a fresh copy. Common values: max-age=3600 (cache for 1 hour), no-cache (revalidate on every request), no-store (never cache).

ETag and Last-Modified enable conditional requests. The browser sends the stored ETag or date back to the server, and the server responds with 304 Not Modified if the content hasn't changed. This saves bandwidth without sacrificing freshness.

Frequently asked questions

What are HTTP response headers?
HTTP headers are metadata sent by the server along with every response. They tell the browser how to handle the content: how long to cache it, whether to enforce HTTPS, which resources are allowed to load, and what server software is running. Security headers in particular protect users from XSS, clickjacking, and protocol downgrade attacks.
What is Strict-Transport-Security (HSTS)?
HSTS tells the browser to only connect to your site over HTTPS, even if someone types http://. Without HSTS, a user's first request might go over plain HTTP before being redirected, creating a window for man-in-the-middle attacks. Set max-age to at least one year (31536000 seconds) and include includeSubDomains.
What is Content-Security-Policy (CSP)?
CSP tells the browser exactly which domains are allowed to serve scripts, styles, images, and other resources on your page. It is the most effective defense against cross-site scripting (XSS). Start with Content-Security-Policy-Report-Only to log violations without breaking your site, then switch to enforcement once your policy is clean.
Why is the Server header a security concern?
The Server header (e.g. "Apache/2.4.52" or "nginx/1.24.0") reveals your web server software and version. Attackers use this to look up known vulnerabilities for that specific version. Remove or generalize the Server header in your web server configuration.
How do I add security headers to my site?
For Nginx, add headers in the server block with add_header directives. For Apache, use Header set in .htaccess or server config. For Cloudflare, use Transform Rules or Workers. For Vercel, add a headers section to vercel.json. For Next.js, configure headers in next.config.js.
Is this tool free?
Yes, free with no signup. For continuous monitoring that checks your headers, SSL, and uptime on a schedule and alerts you when something changes, try Vantaj's free tier.