HTTP Headers Inspector

Inspect HTTP response headers and audit security headers (CSP, HSTS, X-Frame-Options) for any URL.

Requests are routed through allorigins.win to bypass browser CORS restrictions. The target URL receives a normal GET request from the proxy server.

Frequently Asked Questions

What does the HTTP Headers Inspector show?

It shows all response headers returned by a URL, categorised as security headers, cache/performance headers, or general info headers. Missing security headers are flagged.

Why does it use a proxy?

Browsers block cross-origin requests unless the server sets CORS headers. The tool routes requests through allorigins.win to overcome this limitation.

Which security headers does it check?

Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Permissions-Policy, Referrer-Policy, COEP, and COOP.

Does it modify the target request?

No — the proxy sends a standard GET request and returns the response headers.

What Are HTTP Response Headers?

HTTP response headers are metadata lines sent by a server alongside every web page or API response. They tell the browser how to handle the content: whether to cache it, which origins are trusted, how to render it, and what security policies apply. Headers are invisible to end users but critical for security, performance, and SEO.

Essential Security Headers

HeaderPurposeRecommended value
Strict-Transport-SecurityForce HTTPS — prevents downgrade attacksmax-age=31536000; includeSubDomains
Content-Security-PolicyRestrict script/style/image sources — stops XSSdefault-src 'self'
X-Content-Type-OptionsPrevent MIME-type sniffingnosniff
X-Frame-OptionsBlock your page from being iframed (clickjacking)DENY or SAMEORIGIN
Referrer-PolicyControl what URL is sent as Refererstrict-origin-when-cross-origin
Permissions-PolicyDisable browser features (camera, geolocation)camera=(), microphone=()

Cache & Performance Headers

  • Cache-Control — defines how long a response can be cached. max-age=31536000, immutable for versioned assets; no-store for sensitive data.
  • ETag — unique fingerprint of the response. Allows conditional GET requests so the browser only re-downloads if the content changed.
  • Last-Modified — timestamp of last change. Used with If-Modified-Since for conditional requests.
  • Content-Encoding — indicates Gzip or Brotli compression. Brotli (br) typically saves 15–20% more than Gzip.
  • Vary — tells CDNs which request headers affect the response (e.g. Vary: Accept-Encoding).