DiffCheck

HTTP Header Inspector Online

Inspect HTTP response headers for any URL: security headers, cache-control, content-type, and more.

What Is HTTP Header Inspector?

HTTP Header Inspector fetches and displays all HTTP response headers returned by a web server for any given URL. Use it to audit security headers, debug caching behavior, verify content negotiation, or check server configuration — all without leaving your browser. Security-related headers are highlighted in green and cache headers in yellow for quick identification.

How to Use HTTP Header Inspector

  1. Enter a URL (e.g. https://example.com) in the input field. The https:// prefix is added automatically if omitted.
  2. Click Fetch or press Enter.
  3. Browse the full header list, or use the Security / Cache filter tabs to focus on specific header categories.
  4. Click Copy to copy all headers in name: value format.

Features

  • Security header highlight — HSTS, CSP, X-Frame-Options, and more shown in green
  • Cache header filter — Cache-Control, ETag, Last-Modified, Vary grouped separately
  • Filter tabs — switch between All, Security, and Cache views
  • Copy all — export headers in name: value format
  • Auto https — prepends https:// if no scheme is provided

FAQ

What are HTTP response headers?

HTTP response headers are key-value pairs sent by a server alongside the response body. They convey metadata such as content type, caching directives, security policies, and server information.

Which security headers should every site have?

Important security headers include Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. This tool highlights these headers in green so you can quickly verify their presence.

Why might some headers be missing from the results?

Browser security restrictions (CORS) prevent JavaScript from reading all response headers. Headers not exposed via Access-Control-Expose-Headers may not appear. For a complete view, use a command-line tool like curl -I.

What does Cache-Control: no-store mean?

Cache-Control: no-store instructs browsers and intermediate caches not to store any version of the response. This is commonly used for sensitive pages like banking dashboards or authenticated user data.