Sign In
Access your IPWhois.net account
No account? Create one

HTTP Headers Checker

What Are HTTP Headers?

HTTP headers are short pieces of metadata that travel with every request and response between a browser and a server. The response headers tell the browser how to handle the page: what to cache, what security rules to follow, and what software is running on the server.

Security headers are cheap to add and make a real difference. A few lines of server config can block clickjacking, stop cross-site scripting, and force HTTPS without touching a single line of application code.

Security Headers Explained

Strict-Transport-Security (HSTS)

Tells browsers to always connect over HTTPS, even if someone types http:// by hand. Set max-age to at least one year (31536000 seconds). Without it, a single HTTP request can be intercepted and downgraded.

Content-Security-Policy (CSP)

Controls which scripts, styles, images and other resources the page is allowed to load. A well-written CSP is the single most effective defence against cross-site scripting (XSS). It takes some effort to configure but is worth it.

X-Frame-Options

Set to DENY or SAMEORIGIN to stop your page from being loaded inside an iframe on another site. This blocks clickjacking attacks where a hidden frame tricks users into clicking things they didn't intend to.

X-Content-Type-Options

Add nosniff and browsers will stop trying to guess the content type of a response. Without it, a file uploaded as an image could be executed as a script in some browsers.

Referrer-Policy

Controls how much of the current URL gets passed along in the Referer header when a user clicks a link. strict-origin-when-cross-origin is a sensible default that protects sensitive URL parameters without breaking analytics.

Permissions-Policy

Lets you restrict which browser features the page can use, such as the camera, microphone, location and payment APIs. Useful for limiting the blast radius if any third-party script on your page turns malicious.

Frequently Asked Questions

Why does my server header show the software version?

Headers like Server: Apache/2.4.51 or X-Powered-By: PHP/8.1 tell attackers exactly which version of what software you're running, making it easy to look up known vulnerabilities. These should be turned off or set to a generic value in production.

Will this tool affect my server?

No. It sends a single HEAD request, which asks only for headers with no page body transferred. It's the lightest possible HTTP request and has no noticeable impact on any server.

What is a good security score?

5 out of 7 or above is solid. A perfect 7/7 is ideal. A score of 2 or below means there are real gaps worth fixing before something else finds them first.