Free HTTP Headers Inspector & Checker
An HTTP response headers checker that fetches server headers without CORS restrictions. Inspect all HTTP response headers from any URL instantly. View security grades, cache directives, content types, and more - fully server-side, no tracking.
Related Developer Tools
Last updated: May 22 2026
Reviewed by the QuickTooly Team
HTTP Headers Guide
Why Use a Server-Side HTTP Headers Checker?
- No CORS limitations: All requests are made server-side - see every header the server actually sends.
- Security grading: Instant A–F security score based on the six most critical HTTP security headers.
- Organized view: Headers categorized into Security, Cache, Content, Server, and Custom groups.
- Copyable results: Copy individual headers or all headers at once for documentation or debugging.
- Redirect tracking: Follows redirects automatically and reports the final destination URL.
- 100% free: No sign-up, no rate limits, no watermarks.
What Are HTTP Headers?
HTTP response headers are key-value metadata fields that a web server includes with every response - they tell the browser (and any intermediary) how to handle caching, what security policies to enforce, what content type is being sent, and more.
HTTP headers are key-value pairs sent between a client (browser) and a server with every request and response. They carry metadata about the communication - things like what type of content is being returned, how long it should be cached, which origins are allowed to access it, and what security policies the browser should enforce.
Response headers are sent by the server back to the client. Inspecting them is one of the first steps in debugging caching issues, diagnosing security misconfigurations, or verifying that a deployment went as expected.
The Six Critical Security Headers
QuickTooly grades your site's security based on six widely-recognised security headers:
- Strict-Transport-Security - Forces HTTPS for all future visits (HSTS). Essential for any site that handles sensitive data.
- Content-Security-Policy - Restricts which resources can load, blocking most XSS attacks.
- X-Frame-Options - Prevents your pages from being embedded in iframes on other sites (clickjacking defence).
- X-Content-Type-Options - The
nosniffdirective prevents browsers from guessing the content type of a response. - Referrer-Policy - Controls how much URL information is sent in the
Refererheader to third-party sites. - Permissions-Policy - Restricts access to powerful browser APIs such as camera, microphone, and geolocation.
Understanding the Security Grade
Our grading mirrors the methodology used by securityheaders.com and similar tools, but goes further by categorising all response headers - not just security ones - so you get a complete picture in one place.
| Grade | Score | What It Means |
|---|---|---|
| A+ | 6/6 | All headers present with strong values (HSTS with max-age, CSP without unsafe directives) |
| A | 5–6 | Almost all critical headers present |
| B | 4/6 | Good baseline security |
| C | 3/6 | Several headers missing |
| D | 2/6 | Significant security gaps |
| F | 0–1 | Critical headers missing - site is likely vulnerable |
How to Use This Tool
- Enter a URL in the input field above - include the protocol (https://) or it will be added automatically
- Click Inspect Headers or press Enter to send the request
- Review the results - check the security grade and any missing headers highlighted in red
- Copy headers individually or all at once for use in documentation or bug reports
Common HTTP Response Headers Reference
The table below covers the most commonly encountered HTTP response headers - what each one does, which category it belongs to, and typical values you'll see in the wild.
| Header | Category | What It Does | Common Values |
|---|---|---|---|
| Content-Type | Content | Declares the media type and character encoding of the response body | text/html; charset=utf-8 |
| Cache-Control | Cache | Directives controlling how and how long responses are cached by browsers and proxies | max-age=3600, no-cache, no-store |
| Strict-Transport-Security | Security | Forces HTTPS connections for a specified duration (HSTS) | max-age=31536000; includeSubDomains |
| Content-Security-Policy | Security | Restricts which scripts, styles, and resources the browser may load - blocks XSS | default-src 'self' |
| X-Frame-Options | Security | Prevents clickjacking by controlling whether the page can be embedded in an iframe | DENY, SAMEORIGIN |
| X-Content-Type-Options | Security | Prevents browsers from MIME-sniffing the response away from the declared content-type | nosniff |
| Referrer-Policy | Security | Controls how much URL information is passed via the Referer header to third parties | no-referrer, strict-origin |
| Permissions-Policy | Security | Restricts browser feature access (camera, microphone, geolocation) per origin | camera=(), geolocation=() |
| ETag | Cache | Unique version token for a resource - enables conditional requests to avoid re-downloading unchanged content | "abc123def" |
| Vary | Cache | Tells caches which request headers affect the response, so different clients get appropriate versions | Accept-Encoding, Accept-Language |
| Access-Control-Allow-Origin | Security | CORS header that specifies which origins may read the response in a browser context | *, https://example.com |
| Transfer-Encoding | Content | Specifies the encoding applied to the response body during transfer | chunked, gzip |
| Server | Server | Identifies the web server software - often deliberately obscured for security | nginx/1.25, cloudflare |
| X-Powered-By | Server | Reveals the server-side technology stack - commonly removed to reduce fingerprinting surface | Express, PHP/8.2 |
Frequently Asked Questions
Why can't I just use browser DevTools to check headers?
Browser DevTools only shows headers the browser decided to expose. Due to CORS restrictions, many response headers are filtered or hidden for cross-origin requests. QuickTooly fetches headers server-side, so you see every header the server actually sends - unfiltered.
What HTTP method does this tool use?
The tool sends a HEAD request by default, which retrieves headers without downloading the response body - making it faster and lighter. If a server returns 405 Method Not Allowed, the tool automatically falls back to a GET request.
Does the tool follow redirects?
Yes. The inspector follows HTTP redirects automatically and shows the final destination URL alongside the headers. A redirect notice is displayed in the results bar when the original URL was redirected.
Can I check headers for any URL?
Any publicly accessible HTTP or HTTPS URL works. Private, intranet, or authentication-protected URLs that are not reachable from the internet will return a network or DNS error.
How do I fix a failing security grade?
Missing headers are shown in red at the top of the Security section. Each header can typically be added in your web server configuration (nginx, Apache) or CDN settings (Cloudflare, Vercel, Netlify). Adding Strict-Transport-Security and X-Content-Type-Options: nosniff are the quickest wins for most sites.
What's the difference between request headers and response headers?
Request headers are sent from the browser to the server - they include things like Accept, Authorization, and User-Agent. Response headers are returned by the server to the browser - those are what this tool inspects. They control caching behaviour, security policies, content handling, and more.