HTTP headers viewer
See all response headers and which security headers are present.
Response headers reveal how a site is configured — caching, server software, and importantly its security posture. Enter a URL to see every response header and a checklist of key security headers (HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) so you can spot what's missing.
Frequently asked questions
Which security headers matter most?
Strict-Transport-Security (HSTS) and Content-Security-Policy give the most protection, followed by X-Frame-Options and X-Content-Type-Options.
Are missing headers a vulnerability?
Not by themselves, but they remove defenses against attacks like clickjacking and protocol downgrade. Adding them is low-risk hardening.
What does X-Content-Type-Options: nosniff do?
It stops browsers from guessing (MIME-sniffing) a response's content type, which prevents a file served as text from being executed as a script. It's a one-line header with no downside, so it should always be set.
Where are response headers configured?
Usually in your web server (Nginx, Apache), application framework, or CDN. If a header is missing, check whether a proxy or CDN in front of your app is stripping it before it reaches the client.
Why is the Server header a concern?
It can leak the exact software and version you run, helping attackers target known vulnerabilities. Trimming or removing version details is a small but worthwhile hardening step.
How is this different from the security headers grade tool?
This viewer shows every raw response header plus a present/missing checklist; the security headers grade tool scores just the protective headers A-F and explains how to fix each gap.
More Website & HTTP tools tools
Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.