Inspect HTTP response headers and analyze security headers for any website.
Check Headers
What Are HTTP Headers?
HTTP headers are metadata sent between the browser and server with every request and response. They control caching, authentication, content type, security policies, and more. Inspecting headers helps diagnose performance issues and verify security configurations.
How This Tool Works
Enter a fully-qualified URL and the tool issues a `HEAD` request through a Xitoring edge function. We capture every response header — including the security-relevant ones your browser DevTools may collapse or hide — then categorize them so you can see at a glance which protections are in place and which are missing. The tool follows redirects up to three hops so a `http://...` URL gets reported with its final HTTPS headers.
How this tool works and what the response headers actually tell you.
Does this tool send my URL through Xitoring's servers?
Yes — the request goes through a Xitoring edge function so we can fetch headers from outside your network and return a clean response, including CORS-restricted endpoints that the browser would otherwise block. We don't log the URL or response content. If you need to inspect a URL you'd rather not share with any third party, use `curl -I ` locally.
Why are some security headers missing on my site?
Security headers like `Content-Security-Policy`, `Strict-Transport-Security`, and `X-Frame-Options` are opt-in — they're not emitted by default. Either your origin web server (Nginx, Apache, IIS) or your CDN (Cloudflare, Fastly, AWS CloudFront) has to be configured to add them. The missing-headers list in the result tells you which to add and roughly what each one defends against.
Should I worry if my site lacks Content-Security-Policy?
CSP is the single most effective defence against cross-site scripting, but it's also the hardest header to deploy correctly because it can break legitimate scripts. If your site loads user-generated content, embeds third-party widgets, or accepts form submissions, prioritize CSP. Start in `Content-Security-Policy-Report-Only` mode, collect violations for a week, then promote to enforcement.
What's the difference between HSTS and an HTTP-to-HTTPS redirect?
An HTTPS redirect is server-side — it returns a 301 or 308 the first time someone requests `http://...`. That first request still travels in plaintext and is interceptable. HSTS (`Strict-Transport-Security`) is a header that, once a browser has seen it, refuses to make plaintext requests to your domain at all — even before the user types `https://`. The `preload` directive plus submission to `hstspreload.org` ships your domain in the browser's preload list, so even the very first connection is secured.
Can I check internal or private URLs with this tool?
Only if they're reachable from the public internet. The fetch happens server-side from our edge, so URLs behind a VPN, on a private network, or only accessible via `localhost` won't work. For internal services, run `curl -I ` from a host inside the network, or use Xitoring's [website monitoring](https://xitoring.com/website-monitoring) which can probe from a private node.
Why does the response time differ from what my browser shows?
The reported time measures a single `HEAD` request from our edge to your server — it's a round-trip-time plus the time to generate response headers. Your browser's measurement also includes DNS resolution, TLS handshake, full body download, render-blocking script execution, and any redirects in between. For true field performance use Real User Monitoring (RUM) or Core Web Vitals via PageSpeed Insights; for synthetic checks from multiple geos use Xitoring's website monitoring.