HTTP Headers Viewer
Inspect the response headers any URL returns — status code, cache headers, security headers, and the full redirect chain.
Quick answer: Inspect the response headers any URL returns — status code, cache headers, security headers, and the full redirect chain.
Last updated
Frequently asked questions
- How do I view the HTTP headers of a website?
- Paste the URL and click Fetch headers. We show every redirect hop and the full set of response headers from the final URL.
- What's the difference between request and response headers?
- Request headers are sent BY the client (User-Agent, Accept, Cookie). Response headers are sent BACK by the server (Content-Type, Cache-Control, Set-Cookie).
- What does cache-control do?
- It tells browsers and CDNs how long to cache the response. max-age=3600 means an hour; no-store forbids caching entirely.
- What is HSTS?
- Strict-Transport-Security tells browsers to only ever connect over HTTPS for this domain. Once seen, browsers refuse plain HTTP for the max-age window.
- How do I see redirects (301/302)?
- If the URL redirects, we show every hop with its status and Location header. The final headers come from the URL the redirects ended at.
- What are security headers (CSP, X-Frame-Options)?
- CSP (Content-Security-Policy) restricts what scripts/resources a page can load. X-Frame-Options prevents clickjacking. X-Content-Type-Options stops MIME sniffing.
- Why does CORS block my request?
- CORS is a browser-side protection: cross-origin requests need the server to send Access-Control-Allow-Origin. Our viewer runs on the server, so CORS doesn't apply here.
- Can I export the headers?
- Click the Copy button to grab the entire header block as plain text — handy for tickets, runbooks, and StackOverflow questions.
- Does this work for API endpoints?
- Yes — any HTTP/HTTPS URL works. Some APIs return different headers based on the Accept or Authorization header, which we can't replicate.
- Why do I see different headers than in my browser?
- Some servers vary their response on User-Agent, Accept-Encoding, or Cookie. We send a generic UA with no cookies, so caching servers and personalized pages can answer differently.