Get HTTP Headers

Article Summary: This article explains what HTTP response headers are, why they matter for both security and performance, and how to use our external header inspection tool to audit any website's headers. It covers the most important security and performance headers, explains the difference between the two categories, and answers common questions about specific headers and how to configure them.

What Are HTTP Headers?

HTTP headers are key-value pairs transmitted between a client (browser or HTTP tool) and a server as part of every HTTP request and response. Response headers — the type this tool inspects — are sent by the server along with every page, resource, or API response. They are invisible to ordinary website visitors but carry critical instructions that govern how browsers, CDNs, proxies, and security tools handle the content.

Headers are defined by the HTTP specification (RFC 7230 and related RFCs) and are continuously extended by browser vendors and standards bodies. Some headers are standardized and universally recognized; others are proprietary extensions (often prefixed with X-) that originated with specific vendors but became de facto standards.

Inspecting headers is the HTTP equivalent of running curl -I https://example.com from the command line — our tool performs that request from an external server, giving you a neutral, external view of exactly what headers your site sends to the public.

How It Works

The External Request

When you enter a URL, our server sends an HTTP HEAD or GET request to both the HTTP and HTTPS endpoints of the domain and captures all response headers returned. The tool also records the full redirect chain — so if your site redirects from HTTP to HTTPS, or from www to non-www, you can see each step and the headers returned at each stage.

Because the request originates from our external server (not your browser), you see exactly what any client on the public internet receives — including headers that your CDN, load balancer, or reverse proxy adds or strips. Browser developer tools show headers as seen after your browser processes them; our tool shows the raw headers before any local manipulation.

Reading the Output

Headers are displayed in alphabetical order for easy scanning. Each header name is a key; the value describes its directive. Some headers have simple values (e.g., X-Content-Type-Options: nosniff); others contain structured directives (e.g., Cache-Control: max-age=3600, public, must-revalidate). Unfamiliar headers can be looked up in the MDN Web Docs HTTP Headers reference — a comprehensive, authoritative resource for every standardized header.

Security Headers vs Performance Headers

HTTP headers serve two broad purposes — security enforcement and performance optimization — and it is useful to think of them separately when auditing a site.

Security Headers

Security headers instruct browsers to apply protective policies that mitigate common web vulnerabilities. They do not affect how content looks or loads for users — they are pure security controls. Examples include:

• Strict-Transport-Security (HSTS) — forces browsers to use HTTPS exclusively, preventing protocol downgrade attacks.
• Content-Security-Policy (CSP) — restricts which resources (scripts, stylesheets, images) the browser may load, mitigating cross-site scripting (XSS) and data injection attacks.
• X-Frame-Options — prevents the page from being embedded in an <iframe> on another domain, blocking clickjacking attacks.
• X-Content-Type-Options: nosniff — prevents browsers from MIME sniffing — incorrectly interpreting a response as a different content type than declared.
• Referrer-Policy — controls how much referrer information is sent when a user navigates from your site to another, protecting user privacy.
• Permissions-Policy — restricts access to browser features (camera, microphone, geolocation) for the page and embedded iframes.

Performance Headers

Performance headers control caching, compression, and content delivery behavior. Correctly configured caching headers can dramatically reduce server load and improve page load times for returning visitors. Examples include:

• Cache-Control — the primary directive for controlling how long browsers and CDNs cache a response (max-age, no-cache, no-store, public, private).
• ETag — a fingerprint of the response content, allowing conditional requests to avoid re-downloading unchanged resources (If-None-Match).
• Last-Modified — the timestamp of when the resource was last changed, used similarly to ETag for conditional caching.
• Content-Encoding: gzip / br — indicates the server compressed the response body with gzip or Brotli, reducing transfer size.
• Vary — tells CDNs which request headers affect the response, ensuring correct cache differentiation (e.g., Vary: Accept-Encoding).

Common Use Cases

Security Header Audit

Before submitting a web application to a security review or penetration test, running a header check immediately reveals which security headers are missing. The absence of HSTS, CSP, or X-Frame-Options is a common finding in security audits — and one that is straightforward to fix at the web server or application level.

CDN and Caching Verification

After configuring a CDN (Cloudflare, CloudFront, Fastly), check the headers to confirm that Cache-Control directives are correct and that CDN-specific headers (such as CF-Cache-Status or X-Cache) indicate the expected caching behavior. Incorrectly configured caching can result in stale content being served or sensitive responses being cached inappropriately.

Redirect Chain Debugging

When a site has unexpected redirect behavior — too many redirects, redirect loops, or the wrong final destination — examining headers at each step of the chain pinpoints where the misconfiguration occurs, whether it is at the web server level, the application level, or the CDN layer.

Server Fingerprint Review

The Server header reveals the web server software and often its version (e.g., Server: nginx/1.24.0). Security-conscious administrators suppress or generalize this header to reduce information disclosure to potential attackers. Checking this header is part of any hardening review.

Technical Reference

Frequently Asked Questions

What are HTTP headers?

HTTP headers are key-value metadata fields transmitted in every HTTP request and response. Response headers are sent by the server and tell the browser (and any intermediaries such as CDNs and proxies) how to handle the response — including caching rules, content type, security policies, and encoding. They are separate from the HTML body and invisible to end users browsing the site normally.

Why should I check my site's HTTP headers?

Headers directly affect security posture and performance. Missing security headers like HSTS or Content-Security-Policy leave your users exposed to known attack vectors. Misconfigured Cache-Control headers can cause CDNs to serve stale content or prevent caching entirely, degrading performance. Many compliance frameworks (PCI DSS, SOC 2) and security scanners explicitly check for the presence and correctness of security response headers.

What is HSTS and why does it matter?

HTTP Strict Transport Security (HSTS) is a response header that instructs browsers to always connect to the site over HTTPS — even if the user types http:// or clicks an HTTP link. Once a browser has seen the HSTS header, it will automatically upgrade connections to HTTPS for the specified max-age duration (typically one year). This prevents SSL stripping attacks, where an attacker intercepts an HTTP connection before it can redirect to HTTPS. For maximum protection, include the includeSubDomains directive and consider submitting to the HSTS preload list.

How do I add security headers to my web server?

Security headers are typically added at the web server or reverse proxy level, so they apply to all responses regardless of the application framework:

• Nginx: Use add_header directives in your server or location block.
• Apache: Use Header always set directives in .htaccess or the virtual host configuration (requires mod_headers).
• IIS: Configure custom response headers in web.config under <httpProtocol><customHeaders>.
• Cloudflare: Use Transform Rules to add response headers at the CDN edge.
• ASP.NET Core: Use middleware such as app.UseHsts() and the NWebsec library for comprehensive header management.

What does the Server header reveal?

The Server header identifies the web server software and often includes the version number (e.g., Apache/2.4.57 (Ubuntu) or nginx/1.24.0). This is a form of information disclosure — it tells potential attackers which software version you are running, enabling them to target known vulnerabilities for that specific version. Security best practice is to suppress or generalize this header. In Nginx, set server_tokens off;. In Apache, set ServerTokens Prod and ServerSignature Off.

Conclusion and Takeaways

HTTP response headers are among the most underrated aspects of web server configuration. A few lines of server config can dramatically improve a site's security posture by enabling HSTS, CSP, and clickjacking protection — and correct caching headers can cut bandwidth usage and improve performance for repeat visitors. Our Get HTTP Headers tool makes it effortless to inspect the exact headers any URL returns from an external perspective, without needing curl, browser developer tools, or any installed software. Whether you are auditing your own server, checking a CDN configuration, or investigating a redirect chain, the answer is always one request away.