Try:
⚠️ Browser CORS limitation: Browsers block reading headers from cross-origin requests unless the server sends Access-Control-Allow-Origin. For sites that block this, we use a curated header database with real, recently-observed header sets so you always get meaningful results.

Key headers explained

Strict-Transport-Security

Forces browsers to use HTTPS for this domain for a set duration (HSTS)

Content-Security-Policy

Restricts which resources (scripts, styles, images) the browser can load

Access-Control-Allow-Origin

Controls which origins can make cross-origin requests to this server (CORS)

Cache-Control

Tells browsers and CDNs how long to cache the response and under what conditions

X-Frame-Options

Prevents the page from being embedded in iframes — protects against clickjacking

Permissions-Policy

Controls access to browser features like camera, microphone, and geolocation