HTTP Header Analyzer
Fetch the response headers from any public domain and see which of nine recommended security headers are missing. The lookup runs server-side, so you only need to type a hostname.
How to use this tool
- 1
Type a public hostname or URL (for example example.com or https://example.com) into the input box.
- 2
Press Analyze. The tool's server sends a GET request to that host over HTTPS, falling back to HTTP if needed.
- 3
Read the yellow 'Missing security headers' panel to see which of the nine tracked headers are absent.
- 4
Scroll the 'All headers' list to inspect every header the server actually returned, value by value.
What does an HTTP header analyzer actually check?
Every HTTP response is preceded by header lines that describe it: Content-Type, Cache-Control, Set-Cookie, Server, and a growing set of security headers that browsers enforce. This tool issues a GET request to the host you enter and lists every response header it receives back, then flags which of nine recommended security headers are missing: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. It is a presence check, not a grader: it confirms whether each header exists but does not score it or judge the quality of its value, so a weak Content-Security-Policy still counts as present. The request is made from this site's server, not your browser, using a desktop Chrome User-Agent string. It follows up to five redirects and reports the final response's headers. Because the input is reduced to a bare hostname, a path you type (such as example.com/login) is ignored and the site root is analyzed instead. For value-level scoring and letter grades, pair this with securityheaders.com or Mozilla Observatory.
Common use cases
Confirm a freshly deployed site is sending HSTS and a Content-Security-Policy before you announce launch.
Spot-check a competitor's or vendor's public domain to see how their security header posture compares to yours.
Verify that a CDN or reverse-proxy change (Cloudflare, Fastly, nginx) is actually adding the headers you configured at the edge.
Quickly read Cache-Control, ETag, and Content-Type on a production response when debugging a caching or MIME-type bug.
Check whether a redirect chain ends on HTTPS and what the final hop's headers look like, since the tool follows up to five redirects.
Hand a developer a concrete list of missing headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) to add to their server config.
Frequently asked questions
Which security headers does it look for?▼
Does it grade or score my headers?▼
Is the request made from my browser?▼
Why did the path in my URL get ignored?▼
Can I analyze localhost or an internal IP?▼
What happens with redirects?▼
It only flags missing headers — what about risky ones it returns?▼
Related tools
DNS Lookup
Look up DNS records (A, AAAA, MX, TXT, NS) for any domain.
WHOIS Lookup
Get full WHOIS data for any domain.
SSL Certificate Checker
Check SSL certificate validity, issuer, and expiry.
HTTP Status Code Checker
Check status code of any URL — single or bulk.
Redirect Chain Tracer
Follow every hop in a redirect chain.
Mixed Content Checker
Find HTTP resources loaded on HTTPS pages.