HTTP Headers Inspector
Paste any URL and instantly inspect every response header — CORS, CSP, HSTS, caching, server info, and a full security score.
Access-Control-Allow-Origin. For sites that block this, we use a curated header database with real, recently-observed header sets so you always get meaningful results.
Sending request…
Connecting…
Key headers explained
Strict-Transport-Security
Forces browsers to use HTTPS for this domain for a set duration (HSTS)
Content-Security-Policy
Restricts which resources (scripts, styles, images) the browser can load
Access-Control-Allow-Origin
Controls which origins can make cross-origin requests to this server (CORS)
Cache-Control
Tells browsers and CDNs how long to cache the response and under what conditions
X-Frame-Options
Prevents the page from being embedded in iframes — protects against clickjacking
Permissions-Policy
Controls access to browser features like camera, microphone, and geolocation