HTTP Header Checker

Inspect HTTP response headers for any URL. Review security headers, caching, content type, SEO-relevant headers, and raw server response with a comprehensive health score.

Check Response Headers

Enter any URL to inspect its HTTP response headers. The tool follows redirects and shows headers from the final destination.
Quick test:

About the HTTP Header Checker

This tool fetches the full HTTP response headers from any URL and categorizes them for easy review. HTTP headers control everything from caching, security, and content type to SEO directives and server identification. Our comprehensive analysis scores your header configuration and highlights critical missing security headers.

Security Analysis

Checks for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more — with missing header alerts.

Health Score

Get a 0-100 score based on your header security quality, with detailed check-level breakdowns and point deductions.

SEO Impact

Detects X-Robots-Tag noindex directives, Link header canonicals, and other SEO-relevant headers in your response.

Why HTTP Headers Matter for SEO & Security

HTTP headers are often overlooked, but they play a critical role in both search engine optimization and website security. Here's why you should pay attention to them:

  • Security vulnerabilities — Missing HSTS, CSP, or X-Frame-Options headers leave your site vulnerable to man-in-the-middle attacks, XSS, clickjacking, and data injection. A single missing security header can be the difference between a secure site and a compromised one.
  • Search engine crawling — The X-Robots-Tag header can block indexing of PDFs, images, and other files that don't support HTML meta tags. The Link header can specify canonicals for non-HTML resources, preventing duplicate content issues.
  • Page speed & performance — Cache-Control and ETag headers enable browser caching, reducing load times for returning visitors by 60-80%. Google considers page speed a confirmed ranking factor for both desktop and mobile.
  • Information disclosure — Server and X-Powered-By headers can reveal exact software versions, giving attackers a roadmap to known vulnerabilities. Security best practice is to minimize server information disclosure.
  • Privacy compliance — Referrer-Policy headers help comply with privacy regulations (GDPR, CCPA) by controlling how much referrer information is shared when users navigate between sites.

Best Practices for HTTP Headers

  • Always include Strict-Transport-Security (HSTS) with a max-age of at least 6 months (31536000 seconds) and includeSubDomains.
  • Set X-Content-Type-Options: nosniff to prevent MIME-sniffing attacks.
  • Set X-Frame-Options: SAMEORIGIN or DENY to prevent clickjacking.
  • Implement a Content-Security-Policy tailored to your site's resource needs.
  • Set Referrer-Policy: strict-origin-when-cross-origin for a good balance of privacy and analytics data.
  • Remove or obscure Server and X-Powered-By version information.
  • Use Permissions-Policy to restrict browser API access (camera, microphone, geolocation).
  • Configure explicit Cache-Control headers for optimal performance and reduced server load.

Frequently Asked Questions

HTTP headers are key-value pairs sent by the server along with every page response. They control caching, security, content type, and can even tell search engines not to index a page (X-Robots-Tag). Every HTTP request and response includes headers that instruct the browser, proxies, and search engines how to handle the content.
Key security headers include Strict-Transport-Security (HSTS) which forces HTTPS connections, X-Content-Type-Options which prevents MIME sniffing, X-Frame-Options which prevents clickjacking, Content-Security-Policy (CSP) which controls which resources can load, and Referrer-Policy which controls how referrer information is shared. Permissions-Policy and Cross-Origin-Resource-Policy are also important modern additions.
X-Robots-Tag is an HTTP header that can control search engine indexing (noindex, nofollow) at the server level — useful for non-HTML files like PDFs, images, and other assets. It works like the meta robots tag but via HTTP headers. This is particularly important for preventing duplicate content in search results from file-based content.
HSTS tells browsers to always connect via HTTPS for a specified period, preventing man-in-the-middle attacks and SSL stripping. Without HSTS, users could accidentally connect via HTTP even if the site supports HTTPS. HSTS also preloads HTTPS connections, improving both security and performance by eliminating redirects.
CSP is a powerful security header that controls which resources (scripts, styles, images, fonts, etc.) can be loaded by a page. A well-configured CSP can prevent cross-site scripting (XSS) attacks, data injection, and clickjacking by specifying allowed origins for each resource type. CSP also mitigates damage from compromised third-party scripts.
Cache-Control, Expires, ETag, and Last-Modified headers control how browsers and CDNs cache your content. Proper caching reduces server load, improves page load speed (a confirmed ranking factor), and reduces bandwidth costs. Pages with poor caching may load slower on repeat visits, frustrating users and potentially harming rankings.
Yes — headers like Server, X-Powered-By, and X-Generator can reveal the exact software version (e.g., Apache 2.4.49, PHP 8.1.3). Attackers use this information to target known vulnerabilities. Security best practice is to minimize server information disclosure by hiding or obscuring these headers. Use ServerTokens minimal on Apache or server_tokens off on Nginx.
The Link header can specify canonical URLs for non-HTML resources (PDFs, images, documents), preload/prefetch hints, and pagination relationships (rel="next"/"prev"). For SEO purposes, Link headers with rel="canonical" are especially important for files that cannot include an HTML canonical tag. They can also specify alternate language versions of a page.
Referrer-Policy controls how much referrer information is sent when a user clicks a link to another site. A strict policy (no-referrer-when-downgrade or strict-origin-when-cross-origin) protects user privacy but may reduce referral data in analytics platforms. A permissive policy (unsafe-url) provides full referrer data but may expose sensitive URL parameters. Balance privacy with analytics needs.
X-Robots-Tag controls indexing directives (noindex, nofollow). Link headers can specify canonical URLs. Content-Type determines how the page is parsed. Status codes (especially 301, 302, 404, 410) tell search engines whether the page is available, moved, or gone. Cache-Control and Last-Modified affect crawl frequency via the If-Modified-Since mechanism.
Reviewed Jun 2026 · Sources and limitations

Review details: 2026-06-10 · Marc LaClear · v1.0

Reference sources:

Known limits:

  • Checks are based on publicly fetchable HTML, response headers, and browser-side input. They do not use private Google Search Console, analytics, or ranking data.
  • Scores and warnings are diagnostic aids, not guarantees of ranking improvement or Google indexation.
  • Pages blocked by robots.txt, login walls, bot protection, heavy JavaScript, or network timeouts may return incomplete results.
  • Validate critical fixes with official Google tools such as Search Console, Rich Results Test, Lighthouse, and your own crawl data.

Report an issue with this tool