HTTP headers are metadata exchanged between client and server with every request. They control caching, security, encoding, content type, and many other aspects of communication. Proper header configuration is critical for website security and performance.
Security Headers
- Content-Security-Policy (CSP) — defines where resources (scripts, styles, images) can be loaded from. Protects against XSS attacks and malicious code injections.
- Strict-Transport-Security (HSTS) — tells the browser that the site is only available over HTTPS. Prevents downgrade attacks and cookie hijacking.
- X-Content-Type-Options: nosniff — prevents the browser from "guessing" the MIME type of a file. Protects against content type spoofing attacks.
- X-Frame-Options — controls whether the page can be embedded in an iframe. Protects against clickjacking attacks. Values: DENY, SAMEORIGIN.
- X-XSS-Protection — built-in browser XSS filter (deprecated but still recommended for compatibility).
- Referrer-Policy — controls what information is passed in the Referer header when navigating between pages.
- Permissions-Policy — manages access to browser APIs: camera, microphone, geolocation, accelerometer.
Caching Headers
- Cache-Control — the primary cache management mechanism. Directives: max-age, no-cache, no-store, public, private.
- ETag — a unique identifier for a resource version. Allows checking whether a file has changed without re-downloading it.
- Last-Modified — the date the resource was last modified.
- Expires — a deprecated header that sets an absolute cache expiration date.
CORS Headers
Cross-Origin Resource Sharing controls access to resources from other domains:
- Access-Control-Allow-Origin — which domains can make requests.
- Access-Control-Allow-Methods — allowed HTTP methods (GET, POST, PUT, DELETE).
- Access-Control-Allow-Headers — allowed headers in requests.
How to Check Headers
HTTP headers can be viewed in the browser DevTools (Network tab) or via the command line: curl -I https://example.com. Our tool performs a HEAD request and displays all response headers in a convenient format.
Conclusion
Check the HTTP headers of any website using our tool. Also check OG tags with the Open Graph checker and DNS records via DNS Lookup.
