Every HTTP request and response carries headers — metadata about the connection, content, and server configuration. Inspecting headers reveals whether a site is using caching correctly, which security policies are in place, and sometimes even what server software is running.
How to Check HTTP Headers
Option 1: Online Header Checker
Use Anonymiz HTTP Headers Checker — enter any URL and see the full response headers instantly. Includes status code, server info, caching headers, and security headers. Free, no account needed.
Option 2: Browser DevTools
- Open Chrome or Firefox DevTools (F12).
- Click the Network tab.
- Reload the page.
- Click on any request in the list.
- View the Headers tab — Response Headers section shows all server headers.
Option 3: curl Command Line
curl -I https://example.comThe -I flag fetches only headers (HEAD request).
Important Headers to Check
- Server — Reveals the web server software (nginx, Apache, Cloudflare). Security-conscious sites hide this.
- X-Powered-By — Often exposes the backend language (PHP/7.4, ASP.NET). Should be removed.
- Cache-Control — How long browsers and CDNs cache this response.
- Content-Security-Policy — The CSP security header. Absence means no XSS protection.
- Strict-Transport-Security — HSTS. Forces HTTPS. Should be present on all HTTPS sites.
- X-Frame-Options — Clickjacking protection.
- ETag / Last-Modified — Caching validation headers.
Security Headers Grading
For a full security headers audit with an A-F grade, use Anonymiz HTTP Security Headers Checker. It checks for all security-critical headers and tells you exactly what is missing.
