HTTP Header Checker
Inspect any URL's response headers, follow its redirect chain, and grade its security headers (HSTS, CSP, X-Frame-Options). Runs on the edge, stores nothing.
published
- [FREE]
- [NO_SIGNUP]
- [USES_SERVER]
⚠ Unlike most of the site, this tool runs one request on a server because your browser cannot make it directly. It keeps none of your input — see the tool and the privacy page.
The HTTP header checker shows the response headers any URL returns, the redirects it goes through, and how many key security headers it sets — all fetched server-side because a browser can’t read another site’s headers.
Why this tool has a server
Most tools here run entirely in your browser. This one can’t: client-side JavaScript can’t read another website’s response headers — the browser’s same-origin policy and CORS block it. The request has to come from a server. So this tool fetches your URL from Cloudflare’s edge and returns what it gets. It does not store the URL or the response.
What it returns
- Final status — the HTTP status code after following redirects (green 2xx, amber 3xx, red 4xx/5xx).
- Redirect chain — every hop with its status and target, up to 8. Redirects to private/internal addresses are refused.
- Security-header grade — A–F by how many of six high-impact headers are present:
| Header | What it does |
|---|---|
| Strict-Transport-Security | Forces HTTPS on later visits. |
| Content-Security-Policy | Limits where scripts/styles load from. |
| X-Content-Type-Options | Stops MIME sniffing (nosniff). |
| X-Frame-Options | Blocks clickjacking via framing. |
| Referrer-Policy | Controls the Referer sent onward. |
| Permissions-Policy | Restricts powerful browser features. |
- All response headers — the complete set the server returned.
The grade is a quick signal, not a full audit: a header that’s present can still be weakly configured.
Related tools
- What’s My IP — your own IP, network, and TLS details.
- DNS Lookup — A/AAAA/MX/TXT/CNAME and more for any domain.
- HTTP Status Code Reference — every status code explained.
Frequently asked questions
Why does this need a server?
A browser cannot read another website's raw response headers or follow its redirect chain — the same-origin policy and CORS block cross-site header access from client JavaScript. The only way to see them is to make the request from a server. This tool fetches the URL from Cloudflare's edge and returns the headers and redirect hops.
Do you store the URLs I check?
No. The URL is used to make the request and is then discarded — not written to a database, log, or cookie by this tool. Cloudflare may record standard request metadata at the network layer, as any host does.
Which security headers does it grade?
Six high-impact response headers: Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. The grade is simply how many of the six are present (A = all six, F = none). It's a quick signal, not a full audit — a present header can still be weakly configured.
Does it follow redirects?
Yes — up to 8 hops, shown as a chain with each status code and target. Each redirect target is re-checked, and the tool refuses to follow a redirect to a private or internal address.
Can I check an internal or localhost URL?
No. For safety the tool only fetches public http/https URLs and blocks localhost, .local/.internal hostnames, and private/loopback/link-local IP ranges.
Why might the result differ from my browser?
The request comes from a Cloudflare server with a generic user-agent, not your browser, your cookies, or your IP/region. Sites that vary responses by user-agent, geography, auth, or bot detection can return different headers or status codes than you see.