Utinzo

HTTP Headers Checker

View all HTTP response headers for any URL and check for missing security headers like HSTS, CSP, and X-Frame-Options.

Did this tool work for you?

AdSense336 × 280
AdSense336 × 280

How to use this calculator

  1. 1

    Enter the full URL including https:// (or just the domain — https:// will be added).

  2. 2

    Click "Check Now" to fetch the HTTP response headers.

  3. 3

    Results show all response headers, status code, and any missing security headers.

  4. 4

    Security headers like HSTS and CSP protect users from common web vulnerabilities.

AdSense · 728 × 90

Frequently asked questions

What are HTTP response headers?

HTTP response headers are metadata sent by the server alongside a web response. They control browser behavior, caching, cookies, security policies, and content negotiation. Examples include Content-Type, Cache-Control, Set-Cookie, and Strict-Transport-Security.

What is HSTS (Strict-Transport-Security)?

HSTS tells browsers to only connect to your site over HTTPS, never plain HTTP — even if the user types http://. Once a browser sees an HSTS header, it enforces HTTPS for all future visits for the specified duration. This prevents SSL stripping attacks.

What is Content-Security-Policy (CSP)?

CSP is a powerful security header that controls which resources (scripts, styles, images, frames) a page can load and from where. A strict CSP prevents cross-site scripting (XSS) attacks by blocking injected scripts from untrusted sources.

What does X-Frame-Options do?

X-Frame-Options prevents your page from being embedded in a <frame> or <iframe> on another site. This stops clickjacking attacks where an attacker overlays your site's UI with invisible elements. Use SAMEORIGIN to allow framing only from your own domain, or DENY to block completely.

About http headers checker

HTTP Headers Checker — Inspect response headers and security configuration

Essential security headers

Strict-Transport-Security (HSTS): forces HTTPS. Content-Security-Policy: blocks XSS. X-Content-Type-Options: nosniff prevents MIME sniffing attacks. X-Frame-Options or CSP frame-ancestors: prevents clickjacking. Referrer-Policy: controls what referrer information is sent. Permissions-Policy: restricts browser API access.

Caching headers explained

Cache-Control controls how long responses are cached (e.g. max-age=3600). ETag is a fingerprint for cache validation. Last-Modified is an alternative timestamp-based validator. Vary tells CDNs which request headers affect the response — critical for serving different content to mobile vs desktop.

HTTP Headers Checker – Utinzo

Learn more from an authoritative source:

MDN Web Docs
Related tools

JSON Formatter & Validator

Format, validate, and minify JSON — with clear error messages for invalid input.

Base64 Encoder / Decoder

Encode plain text to Base64 or decode Base64 strings back to readable text.

URL Encoder / Decoder

Encode special characters in URLs (percent-encoding) or decode percent-encoded URLs.

UUID Generator

Generate UUID v4 (random) identifiers — one or in bulk.

See all Developer Tools tools

Results are estimates for informational purposes only and do not constitute professional financial, medical, legal, or technical advice. Read full disclaimer →