What does this tool actually show?

A HEAD request to the URL you give it and the response headers the server sends back. You get the final status code, the resolved URL after redirects, and every header the server returns: Content-Type, caching policy (Cache-Control, Expires), security headers (Strict-Transport-Security, Content-Security-Policy, X-Frame-Options), Server identification, and so on.

Why HEAD and not GET?

HEAD asks the server 'what would the response headers look like for this URL?' without downloading the body. Faster, less bandwidth, and it does not trigger analytics or tracking pixels in case the target counts visits. Servers should return the same headers as for GET. A few misconfigured servers return 405 (method not allowed), in that case the tool reports the failure.

Does this tool follow redirects?

Yes, up to 5 hops. Each redirect is re-validated against our SSRF protection, so a 30x cannot trick the tool into hitting a private IP mid-chain. The final response is what you see. Intermediate hops are not listed individually (the final URL field tells you where you landed).

Can I check `http://localhost/...` or `http://192.168.1.1/...`?

No. We resolve the domain to an IP and refuse private (RFC 1918), loopback (127/8, ::1), link-local (169.254/16), and cloud metadata (169.254.169.254). The tool inspects public-internet hosts only.

What can I do with the result?

Audit caching policy (Cache-Control), check for HSTS or CSP, see which web server is exposed (Server header), detect missing security headers, confirm a redirect lands where expected. To check TLS on the same host use SSL Checker. To verify the underlying DNS use DNS Lookup.

Free, no signup, rate-limited per IP. Max 5 redirects per request, 5-second timeout per hop. Private/internal IPs refused for security.

WEB

HTTP Header Checker

Check HTTP headers

Input

Inspect the response headers of any website. Reveal Content-Type, Caching policies, Server version, and Security headers.

Terminal

Console ready. Execute a command to see output...

About HTTP Header Checker

The Hidden Conversation

Before a browser renders a page, the server sends a set of "Headers" defining the rules of engagement.

Important Headers to Watch

Status Code: 200 (OK), 301 (Redirect), 404 (Not Found), 500 (Error).
Cache-Control: Tells the browser how long to keep the file.
Content-Security-Policy (CSP): The modern firewall against XSS attacks.
Strict-Transport-Security (HSTS): Forces HTTPS connections.

How to use HTTP Header Checker

Enter a URL
Full URL (https://example.com/path) or just the host (we default to https:// if you skip the scheme).
Hit Check Headers
A HEAD request goes out from our server with SSRF protection on every hop.
Read the response
Status code, statusText, the final URL after redirects, and every response header (one per line).
Follow up
Use SSL Checker on the same host for TLS details, or DNS Lookup for the underlying DNS record.

Frequently Asked Questions

: A HEAD request to the URL you give it and the response headers the server sends back. You get the final status code, the resolved URL after redirects, and every header the server returns: Content-Type, caching policy (Cache-Control, Expires), security headers (Strict-Transport-Security, Content-Security-Policy, X-Frame-Options), Server identification, and so on.