Enter a complete URL including protocol (https://)
HTTP Headers for
Security Headers Analysis
All Headers
HTTP header analysis methodology
This tool requests the submitted URL and reports response headers visible from this server path. Header output is endpoint-specific: scheme, hostname, path, redirects, method, user agent, CDN, and cache state can all change the result.
What to review
- Security headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy describe browser-side protections.
- Cache-Control, ETag, Last-Modified, Vary, Age, and CDN headers explain caching behavior and why two clients may see different responses.
- Redirect headers show canonicalization, HTTPS enforcement, and chain behavior for the exact submitted URL.
Proxy and CDN caveats
- Reverse proxies and CDNs may add, remove, normalize, or override origin headers.
- Responses can vary by path, query string, cookie, Accept-Encoding, language, user agent, or geography.
- A header present on the homepage may be absent on static assets, API routes, error pages, or authenticated paths.
Operational use
- Check the final URL after redirects before judging security or cache policy.
- Validate important headers on representative paths, not only the homepage.
- If a CDN is present, compare origin and edge responses when debugging inconsistent behavior.
Related checks
Headers can vary by URL path, cookies, cache state, CDN edge, compression, language negotiation, user agent, and whether the response is a redirect, error page, asset, or HTML page.
Not by itself. Missing headers identify configuration gaps or missing browser-side controls. Impact depends on the application, content type, authentication model, and threat model.
Versioned static assets can usually be cached for a long time. Dynamic HTML often depends on sessions, cookies, personalization, or freshness and should use more conservative caching.