HTTP Headers Inspector
Enter any URL to inspect its HTTP response headers. Security headers are highlighted and missing ones are flagged to help you improve your site's security posture.
Requests are routed through allorigins.win to bypass browser CORS restrictions. The target URL receives a normal GET request from the proxy server.
Frequently Asked Questions
What does the HTTP Headers Inspector show?
It shows all response headers returned by a URL, categorised as security headers, cache/performance headers, or general info headers. Missing security headers are flagged.
Why does it use a proxy?
Browsers block cross-origin requests unless the server sets CORS headers. The tool routes requests through allorigins.win to overcome this limitation.
Which security headers does it check?
Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Permissions-Policy, Referrer-Policy, COEP, and COOP.
Does it modify the target request?
No — the proxy sends a standard GET request and returns the response headers.