Overview
Use it when the format needs to change, not the meaning
Use HTTP Header Analyzer when you need one public-response audit that leads with security header coverage but still keeps transport and indexing signals in view.
Security review
Check HSTS, CSP, framing protection, referrer policy, and related headers before or after a launch.
Response triage
Inspect the final response URL and status after redirects without reaching for browser tooling.
Transport diagnostics
Confirm cache, compression, and robots directives while you review the same response.
Supported inputs
Bring clean source text and keep the direction straight
- Accepts a public HTTP or HTTPS URL and can inspect either the first response or the final landing response.
- Blocks localhost, private networks, and internal destinations during fetch validation.
- Scores core security headers alongside normalized response headers, redirect context, cache details, compression hints, and robots directives.
Walk through it
Follow the same sequence you see in the tool
Workflow
Inspect the final response
Use this flow when you want the headers users and crawlers reach after redirects settle.
- Paste the public URL you want to inspect and leave redirect following enabled.
- Run the analyzer and review the security verdict cards before you scan the full header list.
- Check the final URL, status, cache details, and compression signal before you log follow-up work.
Workflow
Review the first hop only
Use this flow when you want to inspect the redirecting URL itself instead of the destination.
- Turn off redirect following before you submit the URL.
- Review the returned status, Location header behavior, and any security headers on that first response.
- Compare the result against the final-response mode if you need to see both layers.
What you get
Check the result before you copy it into the next step
Security verdicts
Core security headers are scored first so missing transport or framing protections are easy to spot.
Response summary
The final URL, status, redirect count, cache behavior, compression, and robots signals are summarized together.
Normalized header list
Every returned response header is shown in a stable, copy-ready format.
Avoid these mistakes
Small input problems create the biggest conversion errors
Checking a private destination
Only public URLs can be fetched. Internal or localhost targets are blocked.
Reading only one response layer
Switch between first-hop and final-response mode when redirects might change the header set.
Treating warnings as exhaustive policy advice
Use the checks as a practical baseline, then compare them to your own security requirements.
Glossary
Decode the terms before you act on them
This section translates the most technical labels on the page into plain language so you can interpret the output without opening another tab.
Content-Security-Policy
Content-Security-Policy, often shortened to CSP, tells the browser which sources are allowed for scripts, styles, frames, and other content. Teams use it to reduce the impact of injection bugs and to control embedding behavior.
HSTS
HSTS stands for HTTP Strict Transport Security. It tells browsers to use HTTPS for future visits so users are less exposed to downgrade or mixed-scheme mistakes.
X-Frame-Options
X-Frame-Options is an older framing control header. It tells browsers whether the page may be displayed inside a frame or iframe on another page.
frame-ancestors
frame-ancestors is the modern CSP directive for framing protection. It defines which parent pages, if any, are allowed to embed the current page.
Referrer-Policy
Referrer-Policy controls how much URL information the browser shares with the next site when a user follows a link or loads a resource.
Permissions-Policy
Permissions-Policy lets a site explicitly allow or deny access to browser features such as camera, microphone, geolocation, and similar capabilities.
nosniff
nosniff is the important value for X-Content-Type-Options. It tells browsers not to guess a different file type than the one declared by the server.