Skip to content
D1
EN

Web response audit

HTTP Header Checker

Audit response headers for security, cache behavior and transport details.

This form calls the relative endpoint: /site-api/tools/headers

How to use the HTTP header checker

  1. Enter a full URL or hostname (https preferred). The checker requests the resource and captures response headers without opening browser DevTools — useful on locked-down machines or when sharing output with non-developers.
  2. Review the status line, redirect chain, and final response headers. Each hop in a redirect sequence is shown so you can see http→https upgrades, www canonicalization, or tracking intermediaries before the ultimate document.
  3. Focus on caching, security, and cookie headers for your investigation. Copy the header block into tickets, runbooks, or compliance evidence — DN01 shows live responses from our fetch path, not a cached screenshot from a previous audit.
  4. Re-run after CDN or origin changes and compare with SSL Certificate Checker results on the same host. Recent successful checks stay in local browser history; we do not provide historical header time-series or worldwide edge-node grids.

HTTP response headers we highlight

Response headers carry caching policy, security posture, redirects, and server hints. The table lists fields operators inspect during migrations, CDN cutovers, and security reviews. Headers describe what the server declared in the HTTP layer — they do not replace DNS Checker confirmation that A/AAAA point at the intended origin, or WHOIS context for the domain owner. Pair all three when debugging «wrong site answers» reports.

HeaderWhy inspect itSample value
Status codeHTTP result and redirect semantics200 OK, 301 Moved Permanently
LocationRedirect target in 3xx responseshttps://www.example.com/
Cache-ControlBrowser and CDN caching policymax-age=3600, public
Strict-Transport-SecurityHSTS — force HTTPS for returning clientsmax-age=31536000; includeSubDomains
Content-Security-PolicyScript and resource load restrictionsdefault-src 'self'
Set-CookieSession and tracking cookie issuanceSecure; HttpOnly; SameSite=Lax
Server / X-Powered-ByStack fingerprinting (often worth removing)nginx, cloudflare
ETag / Last-ModifiedConditional caching validatorsW/"abc123"
Content-TypeDeclared body formattext/html; charset=utf-8
Access-Control-Allow-OriginCORS policy for browser APIs*

When to inspect HTTP headers

Run the HTTP header checker after deploying a new origin, switching CDN orange-cloud modes, or enabling HSTS. Cache-Control and CDN-specific headers explain why users see stale HTML despite a fresh deploy — compare ETag and max-age before purging blindly. If headers show a different Server banner than expected, confirm DNS A/AAAA with DNS Checker — you may be hitting an old load balancer IP.

Security reviews use HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy to gauge baseline hardening. Missing HSTS on HTTPS-only sites leaves first-visit downgrade windows. CSP misconfiguration breaks scripts in production — header checker captures the live policy string for diffing against staging. SSL Certificate Checker validates the certificate; headers validate what the app sends after TLS terminates.

Redirect debugging benefits from seeing the full chain: marketing short links, apex→www rules, and http→https upgrades each add a hop. Support threads often need the exact 301 Location target — copy from the checker instead of guessing from browser address bars that may hide intermediate steps.

API and SPA teams inspect CORS headers (Access-Control-Allow-Origin) when browser consoles show blocked fetches. Headers prove what the edge returns to unauthenticated GET requests — distinct from POST preflight behavior you may still need to test separately.

Compliance and cookie-banner projects catalog Set-Cookie attributes: Secure, HttpOnly, SameSite. Header checker documents issuance on the landing URL — useful before privacy audits. DN01 does not scan entire sites for every cookie on every path; start with the URL under investigation.

Load balancers sometimes strip Server headers while adding Via — document both when hardening fingerprinting policy. Pen testers use header variance to map CDN vs origin; your hardening ticket should list intentional differences per hostname.

Mobile apps calling APIs may never show browser DevTools — paste failing API URLs into header checker to capture 401/403 response headers (WWW-Authenticate, Retry-After) for backend triage without reproducing on device.

Troubleshooting header surprises

Different headers at the same URL from office VPN vs mobile network often mean geo-routed CDNs or split A records — compare DNS Checker answers and re-fetch from the header tool's path. We show one fetch snapshot, not fifty global edge nodes.

301 vs 302 vs 307 matter for SEO and method preservation. The checker exposes status codes per hop — do not assume all redirects are equivalent. Meta refresh redirects in HTML bodies are outside HTTP header scope; view page source if Location is missing but browser still moves.

Stale Cache-Control with long max-age at the CDN while origin sends no-cache means edge configuration overrides origin — fix the CDN rule, purge, then re-check headers. Empty Cache-Control on static assets may cause excessive revalidation — intentional on HTML, wasteful on immutable assets.

Security headers present on www but missing on apex (or vice versa) usually mean incomplete vhost config. Check both hostnames separately. HSTS on only one label leaves sibling labels vulnerable — align TLS virtual hosts and re-run SSL Certificate Checker for SAN coverage.

Brotli and gzip Content-Encoding affect body delivery but not header semantics — do not confuse missing Content-Length on chunked responses with errors; focus on cache and security headers for policy audits.

Headers, TLS, and DNS — layered debugging

HTTP headers exist above TCP/TLS. A valid certificate from SSL Certificate Checker does not imply correct caching or CSP. Conversely, perfect security headers on the wrong IP mean DNS still points elsewhere for some resolvers — triangulate with DNS Checker and DIG on A/AAAA.

CDN proxies terminate TLS and may strip or inject headers. Server and Via headers reveal how many proxies participated. Origin-only diagnostics require grey-cloud or direct-origin fetches outside the CDN — DN01 fetches the public URL you enter, typically through whatever path DNS defines today.

HSTS preload lists and certificate transparency are outside this tool's scope. Header checker shows Strict-Transport-Security on live responses — enough for many audits, not a substitute for preload registry submission or CT log monitoring.

Automate recurring header regression checks via the documented API after token registration. Browser UI remains best for ad-hoc investigations with copy buttons and localized labels — we do not sell a full SIEM or WAF analytics dashboard.

HTTP/3 and QUIC change how connections establish but many security headers remain HTTP semantic layer — checker documents headers on the fetched response path your URL negotiates today, not every experimental edge protocol variant.

Stale 304 Not Modified responses depend on If-None-Match client behavior — header checker on bare URL may show 200 while browsers with cached ETag see 304; document test conditions when comparing support screenshots.

DN01 does not execute JavaScript — SPAs that set security headers only after client render may mislead if you only inspect static hosting URLs.

Five-step post-deploy header verification

  1. DNS Checker on apex and www — confirm A/AAAA/CNAME target the intended origin or CDN.
  2. SSL Certificate Checker on https URLs — validate chain, expiry, and SAN hostnames.
  3. HTTP header checker on the same URLs — capture status, redirects, HSTS, CSP, Cache-Control.
  4. Compare staging vs production header diffs; file tickets for missing security headers.
  5. Archive outputs with timestamps; re-run after CDN purge or WAF rule changes — local history only on your browser.

HTTP header checker vs curl, DevTools, and scanners

curl -I is the operator standard but blocked on many corporate laptops and intimidating for non-CLI teammates. DN01 formats headers for copy-paste with redirect chains visible in one panel — same information class, gentler UX, eight locales.

Browser DevTools Network tabs excel at interactive debugging with POST bodies and WebSockets. Header checker targets quick GET/HEAD-style snapshots of response metadata for tickets — not full HAR exports or waterfall timing analysis.

Dedicated security scanners crawl sites, score headers, and track CVEs. DN01 provides honest single-URL fetches without a paid grade badge or mass crawl — pair with your scanner for depth, use DN01 for fast «what does this URL return right now?»

We do not follow arbitrary JavaScript redirects, authenticate to apps, or store historical header databases per customer. Rate limits protect the service. Propagation-style worldwide edge maps are out of scope — DNS Checker and DIG answer addressing; we answer HTTP metadata for the URL you submit.

Enterprise WAF teams maintain allowlists for header inspection bots — DN01 fetches resemble normal monitoring traffic but always coordinate with your security policy before automating high-volume checks against production. We report what we receive; we do not bypass bot management or solve CAPTCHA gates on your behalf.

Third-party tag managers inject scripts that alter perceived performance — header checker documents server declarations; Lighthouse and RUM tools measure client experience. Use both when marketing asks why «cache headers look fine but users see stale HTML» — edge worker middleware may rewrite bodies after origin responds.

Reverse proxy auth gateways return 302 to login with Set-Cookie — capture those headers when debugging SSO integrations; DN01 does not perform authenticated sessions but documents pre-auth redirects that confuse API clients expecting JSON.

Why use DN01 HTTP header checker

  • Live response headers and redirect chains without DevTools or curl — copy-friendly for support tickets.
  • Natural fit with DNS Checker, SSL Certificate Checker, and WHOIS on the same site for layered domain reviews.
  • Eight localized interfaces, local recent history, and API access for scheduled checks — no fake global edge grid.
  • Honest limits: single-URL snapshots, no full-site crawl storage, no WAF replacement.

FAQ

HTTP header checker FAQ

Read response headers, redirects, caching, and security signals without opening DevTools.

What headers are most useful to inspect?

Start with status, redirect location, content type, cache-control, HSTS, CSP, and server hints. The HTTP security headers check article explains the security-focused ones.

Can this checker follow redirects?

It shows the response chain so you can see whether a URL moves through HTTP, HTTPS, canonical hostnames, or tracking redirects before the final response.

How do I debug caching problems?

Look at Cache-Control, Expires, ETag, Last-Modified, and CDN headers. The Cache-Control header guide gives practical examples.

Can I run header checks from automation?

Yes. Use the API docs for request shape and get a token for scheduled or CI checks.

What is HSTS and why check it?

Strict-Transport-Security forces browsers to use HTTPS for a period. Verify it after TLS deployment — see HSTS header explained.

Does a header check prove the site is secure?

No. Headers are one layer. You still need valid TLS from SSL Certificate Checker, patched application code, and sane DNS from DNS Checker.

Why do headers differ between requests?

CDNs, A/B tests, auth cookies, and geographic PoPs can change response headers. Compare the same URL with and without cookies and note which hop in the redirect chain sets each header.

Can I inspect API responses?

Yes. Paste any HTTPS URL that returns a response body — JSON APIs included. Focus on Content-Type, Cache-Control, CORS headers, and security headers on public endpoints.

How do I check security headers quickly?

Run the URL here and scan for Content-Security-Policy, X-Frame-Options or frame-ancestors, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Missing headers are not always vulnerabilities but deserve a ticket when hardening production.

What status codes will I see?

Common codes include 200 OK, 301/302 redirects, 304 Not Modified, 401/403 auth failures, and 5xx server errors. The checker lists each hop so you can see where a redirect loop or HTTP→HTTPS upgrade happens.

Is the HTTP header checker free?

Yes for manual browser checks. Rate limits apply; recurring monitoring can use the API docs after API registration.

Should I compare headers before and after deploy?

Yes — capture a baseline before CDN or security header changes, deploy, then re-run the same URL. Small diffs in Cache-Control or CSP often explain stale assets or broken embeds.

Tool switcher

Pick the next step in your domain or security workflow.

Full tool catalog

Guides

Practical guides for common HTTP Header Checker tasks — DNS records, troubleshooting steps, and links to our free tools.

Back to HTTP Header Checker