HTTP headers are metadata transmitted with every web request and response. They carry information about the server, the content, security policies, caching rules, and more. Knowing how to read them is essential for developers, security researchers, and anyone debugging web issues.
What Are HTTP Headers?
When your browser requests a web page, it sends request headers — including your browser type, accepted languages, and referrer URL. The server responds with response headers alongside the page content — including content type, server software, caching directives, security policies, and more. Headers are plain text key-value pairs that travel with every HTTP transaction.
The Most Important Response Headers
Content-Type tells the browser what kind of data is being sent — text/html for web pages, application/json for API responses, image/png for images. Without this header browsers have to guess the content type.
Cache-Control controls how long the browser and CDN cache the response. max-age=3600 means cache for one hour. no-cache forces revalidation before serving from cache. no-store prevents any caching entirely.
X-Frame-Options prevents clickjacking attacks by controlling whether the page can be embedded in an iframe. DENY blocks all framing. SAMEORIGIN allows framing only from the same domain.
Strict-Transport-Security (HSTS) tells browsers to always use HTTPS for this domain, even if the user types the URL without https://. max-age=31536000 sets this policy for one year.
Content-Security-Policy (CSP) defines which sources of content are trusted — preventing cross-site scripting (XSS) attacks by blocking scripts from unauthorised origins.
X-Content-Type-Options: nosniff prevents browsers from MIME-type sniffing — forcing them to respect the Content-Type header and not try to interpret files as a different type.
Security Headers — Quick Audit
A well-configured web server should include: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Missing security headers are one of the most common web security issues and are easily fixed with a few lines of server configuration.
How to Inspect HTTP Headers
The Anonymiz HTTP Headers Checker fetches any URL and displays all response headers in a clean readable format. No account required. Use it to audit your own site's headers, check what information a server is revealing, or verify that security headers are correctly configured.
You can also inspect headers in browser DevTools — open the Network tab, click any request, and view the Response Headers section.
Frequently Asked Questions
Can HTTP headers reveal server software?
Yes — the Server header often reveals the web server software and version (Apache/2.4.54, nginx/1.23.1). This information helps attackers identify potential vulnerabilities. Security-conscious administrators set custom Server header values or remove the header entirely.
What does a 301 vs 302 redirect mean in headers?
Both are redirect status codes. 301 is a permanent redirect — search engines update their index to point to the new URL and pass link equity. 302 is temporary — search engines keep indexing the original URL. Use 301 for permanent moves and 302 for temporary redirects like A/B testing.
