To check any website's HTTP headers, use a tool that fetches the page server-side (not your browser DevTools, which only shows requests your own browser makes) and displays the raw response headers, including security headers like Content-Security-Policy, cache directives, and server information.
Every HTTP request and response carries headers — metadata about the connection, content, and server configuration. Inspecting headers reveals whether a site is using caching correctly, which security policies are in place, and sometimes even what server software is running.
How to Check HTTP Headers
Option 1: Online Header Checker
Use Anonymiz HTTP Headers Checker — enter any URL and see the full response headers instantly. Includes status code, server info, caching headers, and security headers. Free, no account needed.
Option 2: Browser DevTools
- Open Chrome or Firefox DevTools (F12).
- Click the Network tab.
- Reload the page.
- Click on any request in the list.
- View the Headers tab — Response Headers section shows all server headers.
Option 3: curl Command Line
curl -I https://example.comThe -I flag fetches only headers (HEAD request).
Important Headers to Check
- Server — Reveals the web server software (nginx, Apache, Cloudflare). Security-conscious sites hide this.
- X-Powered-By — Often exposes the backend language (PHP/7.4, ASP.NET). Should be removed.
- Cache-Control — How long browsers and CDNs cache this response.
- Content-Security-Policy — The CSP security header. Absence means no XSS protection.
- Strict-Transport-Security — HSTS. Forces HTTPS. Should be present on all HTTPS sites.
- X-Frame-Options — Clickjacking protection.
- ETag / Last-Modified — Caching validation headers.
Security Headers Grading
For a full security headers audit with an A-F grade, use Anonymiz HTTP Security Headers Checker. It checks for all security-critical headers and tells you exactly what is missing.
Checking Headers With curl
# Response headers only, follow redirects
curl -IL https://example.com
# Full request/response detail, useful for debugging
curl -v https://example.com
# Check a specific header
curl -sI https://example.com | grep -i "content-security-policy"Security Headers Explained
- Strict-Transport-Security (HSTS) — tells browsers to only connect over HTTPS for a specified duration, preventing protocol downgrade attacks. Example:
max-age=31536000; includeSubDomains. - Content-Security-Policy (CSP) — restricts which sources scripts, styles, and other resources can load from, mitigating XSS attacks. A missing CSP is one of the most common security gaps on production sites.
- X-Frame-Options — set to
DENYorSAMEORIGINto prevent clickjacking via iframe embedding. - Referrer-Policy — controls how much of the referring URL is sent to other sites.
strict-origin-when-cross-originis the modern browser default;no-referreris the strictest option. - Permissions-Policy — restricts which browser features (camera, microphone, geolocation) a page can access, even from embedded third-party content.
Caching Headers
- Cache-Control — the primary caching directive.
public, max-age=3600allows caching for one hour;no-storeprevents caching entirely (important for pages with sensitive data). - ETag — a hash-based validator that lets browsers ask "has this changed?" without re-downloading the full resource if the answer is no.
- Last-Modified — a timestamp-based alternative to ETag for the same conditional-request purpose.
Common Header Mistakes That Hurt Security or Performance
- Missing HSTS on a site that supports HTTPS, leaving users vulnerable to downgrade attacks on their first visit
- No CSP at all, or an overly permissive one (
script-src *) that defeats its own purpose - Caching pages that contain user-specific or sensitive data with a long
max-age - Missing
X-Content-Type-Options: nosniff, allowing browsers to guess content types in ways that can enable attacks


