RevealTheme logo

HTTP Header Analyzer

Fetch the response headers from any public domain and see which of nine recommended security headers are missing. The lookup runs server-side, so you only need to type a hostname.

How to use this tool

  1. 1

    Type a public hostname or URL (for example example.com or https://example.com) into the input box.

  2. 2

    Press Analyze. The tool's server sends a GET request to that host over HTTPS, falling back to HTTP if needed.

  3. 3

    Read the yellow 'Missing security headers' panel to see which of the nine tracked headers are absent.

  4. 4

    Scroll the 'All headers' list to inspect every header the server actually returned, value by value.

What does an HTTP header analyzer actually check?

Every HTTP response is preceded by header lines that describe it: Content-Type, Cache-Control, Set-Cookie, Server, and a growing set of security headers that browsers enforce. This tool issues a GET request to the host you enter and lists every response header it receives back, then flags which of nine recommended security headers are missing: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. It is a presence check, not a grader: it confirms whether each header exists but does not score it or judge the quality of its value, so a weak Content-Security-Policy still counts as present. The request is made from this site's server, not your browser, using a desktop Chrome User-Agent string. It follows up to five redirects and reports the final response's headers. Because the input is reduced to a bare hostname, a path you type (such as example.com/login) is ignored and the site root is analyzed instead. For value-level scoring and letter grades, pair this with securityheaders.com or Mozilla Observatory.

Common use cases

  • Confirm a freshly deployed site is sending HSTS and a Content-Security-Policy before you announce launch.

  • Spot-check a competitor's or vendor's public domain to see how their security header posture compares to yours.

  • Verify that a CDN or reverse-proxy change (Cloudflare, Fastly, nginx) is actually adding the headers you configured at the edge.

  • Quickly read Cache-Control, ETag, and Content-Type on a production response when debugging a caching or MIME-type bug.

  • Check whether a redirect chain ends on HTTPS and what the final hop's headers look like, since the tool follows up to five redirects.

  • Hand a developer a concrete list of missing headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) to add to their server config.

Frequently asked questions

Which security headers does it look for?
Exactly nine: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. Any of these not present in the response is listed under 'Missing security headers'.
Does it grade or score my headers?
No. It only checks whether each of the nine headers is present. It does not inspect the value, so an overly permissive Content-Security-Policy or a short HSTS max-age still shows as present. For value analysis and a letter grade, use securityheaders.com or Mozilla Observatory.
Is the request made from my browser?
No. Your browser only sends the hostname to this site's API, and the API fetches the target from its own server using a desktop Chrome User-Agent. The site you analyze sees this server's IP and that User-Agent, not your machine. Servers that vary headers by User-Agent may return slightly different results than you would see in your own browser.
Why did the path in my URL get ignored?
The tool reduces whatever you enter to a bare hostname and always requests the site root. If you type example.com/dashboard, it analyzes example.com. To inspect headers on a specific path, use curl -I or your browser's network tab instead.
Can I analyze localhost or an internal IP?
No. Requests to localhost, loopback, private ranges (10.x, 192.168.x, 172.16-31.x), link-local 169.254.x, and cloud metadata endpoints are blocked to prevent server-side request forgery. Test internal hosts with a local tool such as curl.
What happens with redirects?
It follows up to five redirects, re-checking each hop's host, and reports the headers from the final response. It tries HTTPS first and falls back to HTTP if the HTTPS request fails.
It only flags missing headers — what about risky ones it returns?
Correct. The report does not flag present-but-risky headers like X-Powered-By or a verbose Server banner. As general hardening advice, hiding those in your framework config makes reconnaissance harder, but this tool will not call them out for you.

Related tools