Check Header
Inspect HTTP headers, analyze server responses, and audit security configurations for websites and APIs.
What is Header Checking?
HTTP headers contain metadata about requests and responses. The Check Header tool helps you:
✅ View All Headers - See complete HTTP response headers
✅ Analyze Security - Check security headers (HSTS, CSP, etc.)
✅ Debug APIs - Inspect API response headers
✅ Check Caching - Verify cache configuration
✅ Troubleshoot Issues - Diagnose server problems
Accessing Check Header
From Web Tools Tab
- Open any host connection
- Click "Web Tools" tab
- Select "Check Header" from left menu
Interface Overview
┌──────────────────────────────────────────────────────┐
│ Check Header │
├──────────────────────────────────────────────────────┤
│ Website URL: │
│ ┌────────────────────────────────────────────┐ │
│ │ https://example.com │ │
│ └────────────────────────────────────────────┘ │
│ [Check] │
├──────────────────────────────────────────────────────┤
│ HTTP Status: 200 OK │
│ Total Headers: 15 │
│ │
│ [Copy All Headers] │
│ │
│ Important Headers: │
│ ┌────────────────────────────────────────────────┐ │
│ │ content-type: text/html; charset=UTF-8 │ │
│ │ content-length: 12345 │ │
│ │ server: nginx │ │
│ │ cache-control: max-age=3600 │ │
│ │ strict-transport-security: max-age=31536000 │ │
│ │ content-security-policy: default-src 'self' │ │
│ └────────────────────────────────────────────────┘ │
│ │
│ Other Headers: │
│ ┌────────────────────────────────────────────────┐ │
│ │ date: Thu, 17 Oct 2024 12:00:00 GMT │ │
│ │ etag: "abc123" │ │
│ │ x-powered-by: PHP/8.1 │ │
│ └────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────┘
How to Use
Step 1: Enter URL
Enter the URL to check:
https://example.com
https://api.example.com/endpoint
https://example.com/page.html
Step 2: Execute Check
Click "Check" or press Enter
The tool will:
- Make HTTP request to URL
- Capture all response headers
- Display status code
- Categorize headers (important vs other)
- Show total header count
Step 3: Analyze Results
Review headers for:
- Status code - Success (2xx), redirect (3xx), error (4xx, 5xx)
- Security headers - HSTS, CSP, X-Frame-Options, etc.
- Caching headers - Cache-Control, Expires, ETag
- Content headers - Content-Type, Content-Length
- Server information - Server, X-Powered-By
Step 4: Copy Results
Use "Copy All Headers" to copy all headers to clipboard for:
- Sharing with team
- Documentation
- Bug reports
- Analysis
Or click individual header's copy button to copy specific header.
HTTP Status Codes
2xx Success
✅ 200 OK
- Request successful
- Content returned
- Most common response
✅ 201 Created
- Resource created successfully
- Common in REST APIs
- POST request response
✅ 204 No Content
- Successful but no content
- DELETE operations
- PUT updates
3xx Redirection
↪️ 301 Moved Permanently
- Permanent redirect
- SEO-friendly
- Update bookmarks
↪️ 302 Found
- Temporary redirect
- Original URL still valid
↪️ 304 Not Modified
- Cached version still valid
- Saves bandwidth
- Faster loads
4xx Client Errors
❌ 400 Bad Request
- Invalid request syntax
- Malformed data
- Check request format
❌ 401 Unauthorized
- Authentication required
- Missing/invalid credentials
- Check API key/token
❌ 403 Forbidden
- Access denied
- Valid auth but insufficient permissions
- Check permissions
❌ 404 Not Found
- Resource doesn't exist
- Wrong URL
- Deleted content
❌ 429 Too Many Requests
- Rate limit exceeded
- Too many requests
- Wait and retry
5xx Server Errors
🔥 500 Internal Server Error
- Server-side error
- Check server logs
- Contact admin
🔥 502 Bad Gateway
- Upstream server error
- Proxy/gateway issue
- Backend down
🔥 503 Service Unavailable
- Server overloaded
- Temporary unavailable
- Maintenance mode
🔥 504 Gateway Timeout
- Upstream timeout
- Slow backend
- Increase timeout
Important Headers
Content Headers
content-type Specifies response format:
text/html; charset=UTF-8
application/json
application/xml
image/png
content-length Response size in bytes:
content-length: 12345
content-encoding Compression method:
content-encoding: gzip
content-encoding: br (Brotli)
content-language Content language:
content-language: en-US
content-language: vi-VN
Caching Headers
cache-control Cache directives:
cache-control: max-age=3600 # Cache 1 hour
cache-control: no-cache # Revalidate each time
cache-control: no-store # Don't cache
cache-control: public, max-age=86400 # Public cache 24h
cache-control: private, no-cache # Private, no cache
expires Expiration date:
expires: Thu, 17 Oct 2024 12:00:00 GMT
last-modified Last modification date:
last-modified: Wed, 16 Oct 2024 10:00:00 GMT
etag Resource version identifier:
etag: "abc123-def456"
etag: W/"weak-etag"
Security Headers
strict-transport-security (HSTS) Force HTTPS:
strict-transport-security: max-age=31536000; includeSubDomains; preload
max-age: Duration in seconds (31536000 = 1 year)includeSubDomains: Apply to all subdomainspreload: Submit to browser preload list
content-security-policy (CSP) Control resource loading:
content-security-policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'
Common directives:
default-src: Fallback for all resource typesscript-src: JavaScript sourcesstyle-src: CSS sourcesimg-src: Image sourcesconnect-src: AJAX/WebSocket sourcesfont-src: Font sources
x-frame-options Prevent clickjacking:
x-frame-options: DENY # Block all framing
x-frame-options: SAMEORIGIN # Allow same origin
x-frame-options: ALLOW-FROM https://... # Allow specific origin
x-content-type-options Prevent MIME sniffing:
x-content-type-options: nosniff
x-xss-protection XSS filter (legacy, use CSP instead):
x-xss-protection: 1; mode=block
referrer-policy Control Referer header:
referrer-policy: no-referrer
referrer-policy: no-referrer-when-downgrade
referrer-policy: same-origin
referrer-policy: strict-origin-when-cross-origin
permissions-policy Control browser features:
permissions-policy: geolocation=(), microphone=(), camera=()
Server Headers
server Web server software:
server: nginx/1.18.0
server: Apache/2.4.41
server: cloudflare
⚠️ Security note: Consider hiding version numbers to reduce attack surface.
date Response timestamp:
date: Thu, 17 Oct 2024 12:00:00 GMT
x-powered-by Backend technology:
x-powered-by: PHP/8.1.0
x-powered-by: Express
⚠️ Security note: Remove this header to hide technology stack.
Security Analysis
Security Checklist
✅ Must Have:
✓ strict-transport-security (HSTS)
✓ x-content-type-options: nosniff
✓ x-frame-options: DENY or SAMEORIGIN
✓ content-security-policy (CSP)
⚠️ Should Have:
✓ referrer-policy
✓ permissions-policy
✓ Remove x-powered-by
✓ Remove server version
❌ Security Issues:
✗ Missing HSTS header
✗ Missing CSP header
✗ x-frame-options not set
✗ Technology stack exposed
Common Security Headers
Minimal secure configuration:
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: default-src 'self'
referrer-policy: strict-origin-when-cross-origin
Strong secure configuration:
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: DENY
content-security-policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
referrer-policy: no-referrer
permissions-policy: geolocation=(), microphone=(), camera=()
How to Add Security Headers
Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache (.htaccess):
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "default-src 'self'"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Node.js (Express):
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
res.setHeader('Content-Security-Policy', "default-src 'self'");
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
next();
});
Common Use Cases
1. Security Audit
Check for security headers:
1. Run Check Header
2. Look for:
✓ HSTS header
✓ CSP header
✓ X-Frame-Options
✓ X-Content-Type-Options
3. Document missing headers
4. Add to server config
5. Verify changes
2. API Debugging
Inspect API responses:
1. Check API endpoint
2. Verify status code (200, 201, etc.)
3. Check content-type (application/json)
4. Review custom headers (X-API-Version, etc.)
5. Check rate limit headers (X-RateLimit-*)
6. Verify CORS headers (Access-Control-*)
3. Cache Configuration
Analyze caching:
1. Check cache headers:
- Cache-Control
- Expires
- ETag
- Last-Modified
2. Verify cache duration
3. Check public vs private
4. Test 304 responses
4. Performance Analysis
Check optimization:
1. Compression: content-encoding: gzip
2. Caching: cache-control headers
3. CDN: check via/x-cache headers
4. Server: response time headers
5. Troubleshooting
Debug issues:
Server errors (5xx):
- Check server header for clues
- Look for custom error headers
- Check x-debug headers
Client errors (4xx):
- Verify content-type expectations
- Check authentication headers
- Review CORS headers
Performance:
- Check compression headers
- Verify cache configuration
- Look for CDN headers
Best Practices
1. Security Headers
✅ Always set:
- HSTS (force HTTPS)
- CSP (content security)
- X-Frame-Options (clickjacking protection)
- X-Content-Type-Options (MIME sniffing protection)
✅ Remove:
- x-powered-by (hide technology)
- server version (reduce attack surface)
2. Caching
✅ Static resources:
cache-control: public, max-age=31536000, immutable
✅ Dynamic content:
cache-control: private, no-cache
✅ API responses:
cache-control: no-store
3. Compression
✅ Enable compression:
content-encoding: gzip
✅ Or use Brotli (better):
content-encoding: br
4. CORS
✅ Configure CORS properly:
access-control-allow-origin: https://trusted-domain.com
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: Content-Type, Authorization
❌ Don't use wildcard with credentials:
access-control-allow-origin: *
access-control-allow-credentials: true
Troubleshooting
Issue: Missing Security Headers
Problem: Security scan shows missing headers
Solution:
- Identify missing headers
- Add to server configuration
- Test with Check Header
- Verify in security scanner
Issue: CORS Errors
Problem: Browser blocks API requests
Solution:
- Check CORS headers:
- access-control-allow-origin
- access-control-allow-methods
- access-control-allow-headers
- Verify origin matches
- Check credentials handling
- Test preflight OPTIONS request
Issue: Caching Not Working
Problem: Resources not caching
Solution:
- Check cache-control header
- Verify max-age value
- Check for no-cache/no-store
- Test ETag/Last-Modified
- Verify CDN configuration
Issue: Content-Type Wrong
Problem: Browser misinterprets content
Solution:
- Check content-type header
- Verify charset (UTF-8)
- Ensure matches actual content
- Add X-Content-Type-Options: nosniff
Next Steps
- 🏷️ Check Meta Header - Analyze HTML meta tags
- 🔄 Check Redirect - Check URL redirects
- 🔌 Check Port Open - Test port connectivity
- 🔙 Web Tools Overview - See all tools