HTTP Header Checker
Inspect a URL’s security headers, redirect chain, cookie flags and HTTPS setup — with issues and fixes for the ones that matter.
Headers this tool checks
- Strict-Transport-Security — forces HTTPS, stops SSL-stripping.
- Content-Security-Policy — the main defence against XSS and injection.
- X-Frame-Options / frame-ancestors — clickjacking protection.
- X-Content-Type-Options: nosniff — stops MIME sniffing.
- Referrer-Policy, Permissions-Policy — privacy and capability control.
- Cross-Origin-*-Policy — isolation headers.
- Cookie flags — Secure, HttpOnly, SameSite on every Set-Cookie.
Common problems and fixes
HTTP doesn’t redirect to HTTPS
Add a 301 from every HTTP URL to its HTTPS equivalent, then add HSTS so browsers never try HTTP again.
No Content-Security-Policy
Start with Content-Security-Policy-Report-Only to see what a policy would block, tune it, then enforce.
Cookies without Secure/HttpOnly/SameSite
Session and auth cookies should always set all three to resist theft, XSS reads and CSRF.
Related tools
- DNS Lookup — records and email authentication.
- AI Readiness Checker — how AI systems read the page.
Last reviewed: 2026-07-09.
Frequently asked questions
▸ ▾ Which security headers should I have?
At minimum HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and a Content-Security-Policy. This tool flags which are missing.
▸ ▾ Does it follow redirects?
Yes — it traces the full redirect chain and inspects the headers and cookie flags on the final response.