📚 What Are HTTP Response Headers?
Every time a browser requests a page, the server responds with the page content plus a set of HTTP response headers — metadata describing the response itself: what type of content it is, how long it can be cached, what server software generated it, what security policies apply, and more. Headers are invisible in the rendered page but fully readable by browser developer tools and dedicated inspectors like this one.
📋 Common Header Categories
| Category | Example Headers | Purpose |
| General | Content-Type, Content-Length, Date | Basic response metadata |
| Caching | Cache-Control, ETag, Expires, Last-Modified | Controls how browsers and CDNs cache the response |
| Security | HSTS, CSP, X-Frame-Options | Browser-enforced defensive instructions |
| Server Info | Server, X-Powered-By | Reveals (often unintentionally) the underlying tech stack |
| Cookies | Set-Cookie | Instructs the browser to store a cookie for future requests |
⚙️ How This Checker Works
Browsers block JavaScript from reading another site's response headers unless the target explicitly opts in via CORS — almost none do. This tool routes the request through a small, stateless server-side proxy that performs the fetch and relays back exactly what headers came back, unfiltered.
🛠️ Use Cases
🔧
Debugging Caching Issues
See exactly what Cache-Control and ETag values a page is serving when troubleshooting stale content complaints.
🔍
Competitive Tech Stack Research
Server and X-Powered-By headers can reveal what CDN, framework, or hosting a competitor's site runs on.
🛡️
Pre-Deployment Verification
Confirm all expected headers actually made it to production after a config change, not just the security-critical ones.
🎮
API Response Inspection
Check Content-Type, rate-limit headers, and CORS headers returned by a third-party API you're integrating with.
🔗 More Ways to Investigate a Website
For a security-focused grade instead of a full raw dump, use Security Headers Checker. Also check SSL Certificate Checker and DNS Lookup.
What is an HTTP response header? +
A key-value pair a server sends alongside response content, providing metadata like content type, caching rules, server software, and security policy.
What is the difference between this and Security Headers Checker? +
Security Headers Checker grades a curated set of security-relevant headers. This tool shows the complete, unfiltered set of every header returned, grouped by category.
Can I see cookies set by a website with this tool? +
Yes, Set-Cookie is shown if present, though it reflects a fresh unauthenticated request rather than any session-specific cookie from a logged-in session.
Why do I need a proxy to check HTTP headers? +
Browsers block JavaScript from reading another site's headers unless it opts in via CORS. A small server-side proxy performs the fetch and relays results instead.
What is the Content-Type header used for? +
Tells the browser what kind of content is in the response body — text/html, application/json, image/png, etc — so it knows how to render it.
Is checking another website's headers legal? +
Yes — response headers are returned to any client making a normal request, identical to what your own browser receives visiting the site directly.
What does the Server header reveal? +
Often the web server software and sometimes its version (e.g. nginx/1.25) — useful for research, though many sites deliberately obscure or remove this for hardening.
What is ETag used for? +
A unique identifier for a specific version of a resource, letting the browser ask "has this changed?" on a follow-up request instead of re-downloading unchanged content.
Can headers differ between requests to the same URL? +
Yes — A/B tests, CDN edge location, load balancer routing, or server-side personalization can all cause headers to vary slightly between individual requests.
Does this tool follow redirects? +
Yes, the proxy follows redirects and reports the final URL along with the headers from the final response.
Why are some headers missing that I see in browser DevTools? +
A few headers (like Set-Cookie in some configurations) may be restricted from JavaScript access even through a proxy for security reasons — DevTools has direct browser-level access this tool doesn't.
Is this tool useful for API debugging? +
Yes — check Content-Type, rate-limit headers, CORS headers, and caching directives returned by any API endpoint you're integrating with.
Can I check headers on a localhost or internal URL? +
No — the proxy runs on Cloudflare's network and can only reach publicly accessible URLs, not internal or localhost addresses on your own machine.
Is HTTP Headers Checker free? +
Yes — free and unlimited, performing a live GET request through the proxy and reporting exactly what headers came back.
Can I check headers on an HTTP (non-HTTPS) site? +
Yes — the proxy will fetch whichever protocol the URL specifies, or follow a redirect if the site forces HTTPS, and report the final response's headers.