HTTP Headers Analyzer
Free Server Header Checker & Security Audit Tool
Use our free HTTP headers analyzer to check HTTP response headers for any website. This server header checker fetches all response headers, checks HTTP status codes, audits security headers like Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Permissions-Policy. Detect server signature leaks (Nginx/Apache version, PHP version), analyze Cache-Control performance, inspect CORS headers, and view your browser's request headers.
Quick Answer: What Is an HTTP Headers Analyzer?
An HTTP headers analyzer is an online header lookup tool that fetches and displays the response headers sent by a web server. It reveals the HTTP status code (200, 301, 404, 500), security headers (CSP, HSTS, X-Frame-Options), server signature information (Nginx, Apache, PHP version), caching directives (Cache-Control, Expires), CORS configuration, and protocol details. Our server header checker grades security posture from A+ to F based on 8 critical headers.
Check HTTP Response Headers for Any Website
Enter a URL to get website header info, check HTTP status codes, audit security headers, and detect server signature leaks.
Your Browser's Request Headers
These are the headers your browser sends to every website you visit. They form your digital fingerprint.
| Accept | */* |
| Accept-Encoding | br |
| Connection | close |
| Cookie | PHPSESSID=r453d0mbclu60aermlk2e04gjh |
| Host | trustmyip.com |
| User-Agent | Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) |
| X-Forwarded-For | 216.73.216.222 |
| X-Forwarded-Proto | https |
| X-Real-Ip | 216.73.216.222 |
| X-Real-Port | 30311 |
| X-Forwarded-Port | 443 |
| X-Port | 443 |
| X-Lscache | 1 |
Robert Harrison
OSINT & Network Utility Expert
Robert specializes in HTTP protocol analysis, server security auditing, port scanning, and network forensics. He helps developers, sysadmins, and security analysts inspect HTTP headers, diagnose redirect chains, audit security configurations, and optimize web server performance.
View All Articles by Robert HarrisonWhat Is an HTTP Headers Analyzer and Why Does It Matter?
An HTTP headers analyzer is an online request header viewer that fetches and displays the invisible metadata exchanged between your browser and web servers during every HTTP request-response cycle. When you visit a website, your browser sends request headers (User-Agent, Accept-Language, Cookie), and the server responds with response headers (HTTP status code, security directives, caching rules, server identification).
Our HTTP header lookup tool does both: it displays your browser's outgoing request headers AND lets you check HTTP response headers for any website by entering its URL. This dual capability makes it invaluable for web developers debugging redirects, security analysts auditing Content-Security-Policy (CSP) and HSTS configurations, SEO specialists analyzing 301/302 redirect chains, and privacy researchers checking for server signature leaks.
According to Wikipedia's list of HTTP header fields, there are over 70 standardized header fields maintained by the IETF, plus countless custom headers used by CDNs, frameworks, and applications. Our tool captures them all and grades security posture from A+ to F based on 8 critical headers that protect against XSS, clickjacking, and man-in-the-middle attacks.
Key Fact: Our HTTP headers analyzer checks 8 critical security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy, X-XSS-Protection, and Cross-Origin-Opener-Policy. Each missing header exposes a specific vulnerability that attackers can exploit.
How to Check If Security Headers Are Missing Online
Security headers are response headers that instruct browsers to activate built-in security mechanisms. Without them, your website is vulnerable to cross-site scripting (XSS), clickjacking, MIME-type attacks, and protocol downgrade attacks. Our server header checker audits all critical security headers automatically.
Content-Security-Policy (CSP) — XSS Shield
CSP is the most powerful security header. It tells the browser which sources are allowed to load scripts, styles, images, and other resources. A properly configured CSP prevents cross-site scripting (XSS) attacks by blocking unauthorized inline scripts and external script injections. Check your CSP with our HTTP headers analyzer to verify it covers script-src, style-src, and img-src directives.
Strict-Transport-Security (HSTS) — HTTPS Enforcement
HSTS tells browsers to only connect via HTTPS for a specified duration (typically 1 year = 31536000 seconds). Without HSTS, attackers can perform SSL stripping attacks to intercept your traffic on insecure networks. The includeSubDomains and preload directives extend protection to all subdomains and enable browser preloading. Verify your HTTPS configuration with our SSL Certificate Checker.
X-Frame-Options — Clickjacking Prevention
X-Frame-Options prevents your website from being embedded in iframes on other domains — the primary vector for clickjacking attacks. Set to "DENY" to block all framing, or "SAMEORIGIN" to allow only same-domain embedding. Our tool checks for this header and flags it as missing if absent.
X-Content-Type-Options — MIME Sniffing Defense
X-Content-Type-Options: nosniff prevents browsers from MIME-type sniffing — a technique where browsers ignore the declared Content-Type and try to guess the file type, which can lead to script execution vulnerabilities. This is the simplest security header to implement and has zero side effects.
Permissions-Policy — Feature Access Control
Permissions-Policy (formerly Feature-Policy) controls which browser features your website can access: camera, microphone, geolocation, payment, fullscreen, and more. Restricting unnecessary features reduces your attack surface and improves GDPR privacy compliance. For more on browser privacy, see our Browser Leak Test.
Why Is My Website Leaking Server Version in Headers?
Web servers include a Server header by default that reveals the software name and version: "nginx/1.25.3" or "Apache/2.4.58 (Ubuntu) PHP/8.2.10". This server signature information helps attackers identify the exact software version and target known vulnerabilities (CVEs) for that version. Our server header checker automatically detects version leaks.
How to Hide Server Version on Nginx
# In nginx.conf (http block):
server_tokens off;
# This changes "nginx/1.25.3" to just "nginx"
# For complete removal, use nginx-extras module:
more_clear_headers Server;
How to Hide Server Version on Apache
# In httpd.conf or apache2.conf:
ServerTokens Prod
ServerSignature Off
# ServerTokens Prod shows only "Apache"
# ServerSignature Off removes version from error pages
# To hide PHP version, edit php.ini:
expose_php = Off
After making these changes, restart your web server and use our HTTP headers analyzer to verify the Server header no longer leaks version information. Check your server's open ports with our Port Scanner to ensure only necessary services are exposed.
Security Risk: A server header showing "Apache/2.4.49" is particularly dangerous because that specific version has a known path traversal vulnerability (CVE-2021-41773). Attackers actively scan for these version strings. Always hide server versions AND keep your software updated.
HTTP Status Code Checker: Understanding 200, 301, 302, 404, 500
Our HTTP status code checker shows the exact status code returned by any URL. Understanding status codes is essential for SEO, debugging, and server administration.
Success Codes (2xx)
200 OK is the standard successful response — the page loaded correctly. 201 Created indicates a resource was successfully created (common in API responses). 204 No Content means success but no body content to return.
Redirect Codes (3xx)
301 Moved Permanently transfers all SEO authority to the new URL — use for permanent migrations like HTTP to HTTPS. 302 Found is a temporary redirect that preserves SEO on the original URL. Using 302 when you should use 301 can hurt your search rankings. Analyze your complete redirect chain with our Redirect Checker.
Client Error Codes (4xx)
403 Forbidden means the server understood the request but refuses to authorize it. 404 Not Found means the requested resource does not exist. 429 Too Many Requests indicates rate limiting is active.
Server Error Codes (5xx)
500 Internal Server Error indicates a server-side failure. 502 Bad Gateway means a proxy or load balancer received an invalid response from the upstream server. 503 Service Unavailable typically means the server is overloaded or under maintenance.
| Code | Meaning | SEO Impact | Action |
|---|---|---|---|
| 200 | OK (Success) | Page indexed normally | None needed |
| 301 | Moved Permanently | Transfers 90-99% link equity | Use for permanent URL changes |
| 302 | Temporary Redirect | SEO stays on original URL | Use only for temp redirects |
| 404 | Not Found | Page drops from index | 301 redirect or fix URL |
| 500 | Server Error | Page may drop from index | Debug server logs |
Cache-Control, Expires, and Performance Header Analysis
Caching headers dramatically impact website speed and bandwidth. Our HTTP headers analyzer displays all caching directives so you can verify your performance configuration.
Cache-Control Directives
Cache-Control is the primary caching header. Common directives include: max-age=31536000 (cache for 1 year — ideal for static assets), no-cache (must revalidate with server before using cache), no-store (never cache — use for sensitive data), and public vs private (whether CDNs can cache the response).
Vary Header and CDN Optimization
The Vary header tells CDNs and proxies which request headers affect the response. Vary: Accept-Encoding means gzip and non-gzip versions are cached separately. Incorrect Vary headers can reduce CDN cache hit rates, hurting performance.
Keep-Alive and Connection Headers
Keep-Alive maintains TCP connections open for multiple requests, reducing latency. With HTTP/2 multiplexing, Keep-Alive is less critical as multiple requests share a single connection. Our tool helps identify whether your server supports HTTP/2 vs HTTP/3 by checking the alt-svc header for QUIC/HTTP3 protocol advertisement. Test your connection speed with our Speed Test Tool.
CORS Headers and Access-Control-Allow-Origin Explained
CORS (Cross-Origin Resource Sharing) headers control which external domains can access your server's resources via JavaScript. Our online request header viewer displays all CORS-related headers for inspection.
Key CORS Headers
- Access-Control-Allow-Origin: Specifies which domains can make cross-origin requests. Setting this to
*allows any domain — convenient for public APIs but a security risk for authenticated endpoints. - Access-Control-Allow-Methods: Specifies allowed HTTP methods (GET, POST, PUT, DELETE) for cross-origin requests.
- Access-Control-Allow-Headers: Lists which custom headers are permitted in cross-origin requests.
- Access-Control-Max-Age: How long the browser should cache the preflight response (in seconds).
Misconfigured CORS headers are a common source of API errors and security vulnerabilities. If your JavaScript fetch requests fail with "CORS policy" errors, use our HTTP headers analyzer to verify the target server's CORS configuration. For related cross-origin concerns, check your Referrer Leak Test.
How to Fix "Missing Secure Headers" Warning on WordPress and Nginx
Security scanners and Google Lighthouse often flag "missing secure headers" warnings. Our HTTP headers analyzer identifies exactly which headers are missing so you know what to fix.
Adding Security Headers on Nginx
# Add to your Nginx server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# IMPORTANT: Use "always" to apply to all status codes
# Restart Nginx: sudo systemctl restart nginx
# Verify with TrustMyIP HTTP Headers Analyzer
Adding Security Headers on Apache (.htaccess)
# Add to .htaccess (Apache):
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Requires mod_headers: a2enmod headers
# Restart Apache: sudo systemctl restart apache2
WordPress-Specific Methods
For WordPress, you can add headers via your theme's functions.php using the send_headers action hook, install a dedicated security headers plugin like "HTTP Headers" or "Security Headers", or add them directly in your server configuration (preferred method for performance). After adding headers, use our tool to verify they appear correctly. Protect your WordPress admin with a strong password from our Password Generator.
Analyze HTTP Headers for GDPR and Privacy Compliance
HTTP headers reveal information about both your visitors and your server that has direct implications for GDPR privacy compliance. Our HTTP headers analyzer helps identify privacy-relevant headers.
Referrer-Policy — Information Leakage Control
The Referrer-Policy header controls how much URL information is shared when users click links from your site. Setting it to strict-origin-when-cross-origin prevents leaking full URL paths to external sites while maintaining analytics functionality. Without it, the full URL of every page your users visit is sent to external resources. Test your referrer behavior with our Referrer Leak Test.
Permissions-Policy — Feature Restriction
GDPR auditors check whether your website unnecessarily accesses sensitive browser features. Permissions-Policy restricts access to camera, microphone, geolocation, and payment APIs. Setting camera=() blocks camera access completely — even if a malicious script is injected into your page. Learn more about browser feature exposure in our Browser Info Tool.
Server Information Leakage
The Server header revealing exact software versions can be considered an unnecessary disclosure under GDPR's data minimization principle. GDPR-focused security auditors routinely flag exposed Nginx/Apache and PHP version information as an unnecessary risk. Our tool detects and warns about these leaks. For a broader look at information your browser reveals, check our WebRTC Probe and Canvas Fingerprint Test.
Request Headers Explained: Your Browser's Digital Fingerprint
While response headers are sent by the server, request headers are sent by your browser with every HTTP request. Our online request header viewer displays these in real-time, showing exactly what information your browser shares with every website you visit.
User-Agent: Your Browser's Passport
The User-Agent header identifies your browser name, version, operating system, and device type. It is the primary component of browser fingerprinting — allowing websites to identify you without cookies. Even with a VPN, your User-Agent stays the same, revealing your real browser and OS. Check your full fingerprint with our JA3 Fingerprint Tool.
Accept-Language: Location Leakage
The Accept-Language header reveals your preferred language (e.g., en-US, ur-PK). Even if you use a VPN to appear in Germany, this header tells the server your actual language preference — a potential location leak. Learn more in our guide on what information websites can see from your connection.
Referer: Navigation Tracking
The Referer header (historically misspelled) tells the destination website which page you came from. This enables cross-site navigation tracking. The Referrer-Policy response header can control this. Check your referrer behavior with our Referrer Leak Test.
Privacy Tip: Use our HTTP headers analyzer to see exactly what request headers your browser sends. Compare before and after enabling a VPN or switching to privacy-focused browsers like Firefox with Enhanced Tracking Protection. Read our guide on checking if your IP is leaking through your VPN.
Complete HTTP Header Security Audit Checklist
Use this comprehensive checklist to audit your website's HTTP header configuration with our HTTP headers analyzer.
- Step 1: Enter your website URL in our HTTP header lookup tool and check the security grade.
- Step 2: Verify all 8 security headers are present: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy, X-XSS-Protection, Cross-Origin-Opener-Policy.
- Step 3: Check the Server header for version leaks — hide Nginx/Apache/PHP versions.
- Step 4: Verify Cache-Control is set correctly for static assets (long max-age) and dynamic pages (no-store or short max-age).
- Step 5: Check CORS headers — avoid
Access-Control-Allow-Origin: *on authenticated endpoints. - Step 6: Verify HTTP status code is 200 (not 302 or other redirect). Check redirects with our Redirect Checker.
- Step 7: Check SSL certificate validity with our SSL Checker.
- Step 8: Verify DNS records with our DNS Lookup Tool.
- Step 9: Check IP reputation with our IP Blacklist Checker.
- Step 10: Test browser privacy with our Browser Leak Test.
Best Practice: Run a header audit after every server configuration change, software update, plugin installation, or CDN integration. Security headers can be inadvertently removed by reverse proxies, load balancers, or CDN configurations.
Frequently Asked Questions About HTTP Header Analysis
What is an HTTP headers analyzer and what does it show?
An HTTP headers analyzer fetches response headers from any URL showing the HTTP status code, security headers (CSP, HSTS, X-Frame-Options), server signature (Nginx/Apache), caching directives (Cache-Control), CORS headers, and protocol info. Our tool grades security from A+ to F.
How to check if security headers are missing on my website?
Enter your URL in our server header checker. It audits 8 critical headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy, X-XSS-Protection, and Cross-Origin-Opener-Policy. Missing headers show with descriptions of the vulnerability they expose.
Why is my website leaking server version in headers?
Nginx and Apache include server signature by default. Fix with server_tokens off; (Nginx) or ServerTokens Prod (Apache). For PHP version leaks, set expose_php = Off in php.ini. Our tool auto-detects version information in Server headers.
What is the difference between HTTP 301 and 302 redirects?
301 = permanent redirect, transfers SEO authority to new URL. 302 = temporary redirect, SEO stays with original. Use 301 for domain migrations and HTTP→HTTPS. Our HTTP status code checker shows the exact code. Check full redirect chains with our Redirect Checker.
How to fix "Missing Secure Headers" on WordPress?
Add headers via .htaccess (Apache), server config (Nginx), functions.php using send_headers hook, or a security headers plugin. After adding, use our HTTP headers analyzer to verify all 8 security headers appear. Server-level configuration is preferred over plugin methods for performance.
How to check Content-Security-Policy for XSS protection?
Enter your URL in our tool. It checks for the CSP header and displays its full value. A proper CSP specifies allowed sources for scripts, styles, and resources. Missing CSP leaves your site vulnerable to cross-site scripting (XSS). Review script-src, style-src, and default-src directives.
What are CORS headers and how to check them?
CORS headers (Access-Control-Allow-Origin) control which external domains can access your resources via JavaScript. Setting * allows any domain. Our HTTP headers analyzer displays all CORS headers including Allow-Methods, Allow-Headers, and Max-Age for complete inspection.
Can I analyze HTTP headers for GDPR compliance?
Yes. Our tool checks Referrer-Policy (information leakage), Permissions-Policy (feature access like camera/microphone), CSP (unauthorized scripts), and Server header (technical disclosure). GDPR auditors routinely check these headers. A+ grade indicates strong privacy compliance.
Related Security & Analysis Tools
Complete your security audit with our free toolkit.
Audit Any Website's HTTP Headers Instantly
Free Server Header Checker — No Signup Required
Our HTTP headers analyzer checks response headers, audits 8 security headers, detects server signature leaks, verifies HTTP status codes, analyzes Cache-Control performance, and displays your browser's request headers. Security graded from A+ to F.