What is HSTS and how do I configure it?

**HTTP Strict-Transport-Security** tells browsers "for the next N seconds, only ever connect to this domain over HTTPS, even if the user types `http://`". Standard config: `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`. The `max-age=63072000` is 2 years in seconds (the minimum for the [Chrome preload list](https://hstspreload.org/)). `includeSubDomains` covers `api.your-site.com`, `cdn.your-site.com` etc. `preload` allows submission to the browser-baked-in list. Caveat: once you ship HSTS with a long max-age, **you cannot easily revert** because every visitor's browser remembers it. Test with `max-age=300` first.

What is Content-Security-Policy, in one minute?

**CSP is a whitelist of where the page is allowed to load resources from**. A reasonable starting point: `Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'`. That says: load everything from my own origin, no scripts from third parties, no Flash/plugin objects, no being framed by anyone. **Most XSS attacks die at the CSP boundary** because the injected script comes from an attacker domain that is not whitelisted. The tricky part is allowing the third-party stuff you actually use (Google Analytics, Stripe, Cloudflare Insights) without opening the door to `'unsafe-inline'`. Use **nonces** or **hashes** for that.

X-Frame-Options vs CSP frame-ancestors, which one wins?

**Both work, frame-ancestors is the modern way**. `X-Frame-Options: DENY` (or `SAMEORIGIN`) is the 2009 way of saying "do not iframe me". CSP's `frame-ancestors 'none'` is the 2014 way and is **more flexible** because you can list specific allowed parents (`frame-ancestors 'self' https://partner.com`). Modern browsers prefer `frame-ancestors` when both are present. For maximum compatibility, **set both**. Our inspector gives you the point if at least one is present.

Why hide X-Powered-By and the Server version?

**Defense in depth**. If your `Server: Apache/2.4.41 (Ubuntu)` and `X-Powered-By: PHP/7.4.3` is in every response, an attacker scanning for CVEs **knows exactly which exploits to try**. Removing these headers does not fix any underlying vulnerability, but it raises the cost of automated drive-by attacks. Express: `app.disable('x-powered-by')`. nginx: `server_tokens off;`. Apache: `ServerTokens Prod` + `ServerSignature Off`. PHP: `expose_php = Off` in `php.ini`. A bare `Server: nginx` is fine; the version is what matters.

How does Permissions-Policy work?

It is **HTTP-level opt-out for browser features** the page (and its iframes) are allowed to use. Example: `Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()`. The empty parens mean "no one, not even me". If you DO use geolocation on one route, set `geolocation=(self)`. The `interest-cohort=()` line opts out of [FLoC](https://github.com/WICG/floc) (Google's cohort tracking). **The point is iframe isolation**: even if an embedded ad iframe calls `navigator.geolocation.getCurrentPosition`, the browser refuses because the parent did not delegate the permission.

When should I use Cache-Control vs ETag?

**Both, they solve different problems**. `Cache-Control: public, max-age=31536000, immutable` is the right thing for **fingerprinted assets** (`app.a1b2c3.js`): the browser never re-asks until the year runs out, which is fast. `Cache-Control: no-cache` with an `ETag` is the right thing for **HTML pages**: the browser always re-asks the server but ships the cached body if the ETag still matches (a fast `304 Not Modified`). **`no-cache` does not mean "do not cache"** (that's `no-store`); it means "always revalidate first". Most production sites do the fingerprinted-asset trick for JS/CSS/images and a short `max-age` (60 to 300s) plus `s-maxage` for HTML.

My site has 5 redirects in the chain. Is that bad?

**It is slow, but not always broken**. Each hop costs a DNS lookup plus TCP handshake plus TLS handshake plus 1 round trip, typically 50 to 200 ms. Five hops is 0.5 to 1 second before the user sees anything. Common offenders: `http://example.com` to `https://example.com` to `https://www.example.com` to `https://www.example.com/en/` to `https://www.example.com/en/home/`. **Fix it by collapsing the chain**: do the http-to-https, www-vs-bare and trailing-slash redirects in one shot. Marketing tracking domains (`bit.ly`, `t.co`) often add their own hops too; there is not much you can do about those.

What is the difference between this and securityheaders.com?

**Same idea, slightly different scoring**. securityheaders.com is **the industry reference**, run by Scott Helme, and grades A+ through F. Our tool gives you **the full hop chain** with per-hop timings (theirs collapses redirects), shows **every header** of the final response grouped by purpose (caching, CORS, server, custom), and uses a similar A-F rubric with a **bonus point each for hidden Server version and missing X-Powered-By**. The recommendations include **concrete config lines** ready to paste. Use both; second opinions are cheap.

Is the URL I check stored anywhere?

**No**. The URL hits our serverless function, the function fetches **only the headers** (we cancel the body the moment headers arrive, so the actual content of your page is never downloaded), computes the score, returns JSON. **Nothing is logged, nothing touches disk, no analytics fire on the API request**. Rate limit: **30 requests per hour** per IP, in-memory map, resets when the function cold-starts. SSRF guard refuses private and loopback hosts on every hop, so a malicious redirect to `10.0.0.1` is rejected.

HTTP Headers Inspector - free

What does the HTTP headers inspector show?

Paste a URL, hit Check, and our server walks the redirect chain one hop at a time (up to 5 hops), records each hop's status code, headers and timing, then grades the security headers on the final page A through F.

You see exactly what a browser sees on the wire: every redirect, every Set-Cookie, every Cache-Control, every CORS line. Plus a security card that tells you in plain words whether Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are set, plus a bonus point each for hiding the Server version and removing X-Powered-By.

For every missing header you get a concrete config line ready to paste into nginx, Apache, Express or your CDN.

How to use it

Paste the full URL (e.g. `https://your-site.com`). If you skip `https://`, we add it.
Click Check or press Enter. The server has 8 seconds per hop and 20 seconds total budget. Typical run: 200 to 800 ms.
Read the redirect chain top to bottom: hop 1, hop 2, etc. Each shows the URL, the status code (`301`, `302`, `308`) and how long the server took to respond.
Look at the security score card: a letter A to F plus a numeric score out of 10. Each pillar (HSTS, CSP, ...) is a row with a green check or a red cross and a one-line fix.
Open All response headers (final hop) to see every single header grouped by Security, Caching, CORS, Server, Other. Copy the value you need with one click.

When this is useful

Seven everyday situations where you want to inspect the headers yourself:

A new landing page is going live. Verify that the redirect chain is short (one 301 max) and that HSTS, CSP and X-Content-Type-Options are in place before marketing pushes the URL.
Your site got a B on securityheaders.com. Use the breakdown to see exactly which two headers cost you the upgrade to A, and copy the recommended lines into nginx.
Caching behaves weirdly. Inspect Cache-Control, ETag, Last-Modified, Vary on the final hop. If you see `Cache-Control: no-store` where you expected `max-age=3600`, you know the CDN/origin is stripping headers.
CORS errors in the browser. Check Access-Control-Allow-Origin / -Methods / -Headers / -Credentials on the failing endpoint. The inspector shows the exact server values, no DevTools acrobatics.
Suspicious redirect. Some marketing tools chain 4 to 5 redirects through tracking domains. The hop list shows you each step and the per-hop timing, so you can spot the slow one.
CDN debugging. Compare headers on origin vs CDN edge. Different X-Cache, Age, Server, Via values tell you whether the CDN is serving from cache or pulling fresh.
Compliance audit. A security checklist requires HSTS preload, no X-Powered-By and Permissions-Policy. The inspector confirms or denies each item with a copyable recommendation.

Questions and answers

They are response headers a browser reads before rendering the page. Each one closes a specific attack vector. HSTS stops downgrade attacks (HTTP instead of HTTPS). CSP stops injected scripts (XSS) and data exfiltration. X-Frame-Options stops clickjacking (your page in someone else's iframe). X-Content-Type-Options: nosniff stops MIME-type confusion. Referrer-Policy stops sensitive URLs leaking in the Referer header. Permissions-Policy stops embedded frames from grabbing camera, mic or geolocation. They are free, server-side, and supported by every modern browser, so there is no good reason not to set them.

What does the HTTP headers inspector show?

For every missing header you get a concrete config line ready to paste into nginx, Apache, Express or your CDN.

How to use it

Paste the full URL (e.g. `https://your-site.com`). If you skip `https://`, we add it.

Click Check or press Enter. The server has 8 seconds per hop and 20 seconds total budget. Typical run: 200 to 800 ms.

Read the redirect chain top to bottom: hop 1, hop 2, etc. Each shows the URL, the status code (`301`, `302`, `308`) and how long the server took to respond.

Look at the security score card: a letter A to F plus a numeric score out of 10. Each pillar (HSTS, CSP, ...) is a row with a green check or a red cross and a one-line fix.

Open All response headers (final hop) to see every single header grouped by Security, Caching, CORS, Server, Other. Copy the value you need with one click.

When this is useful

Seven everyday situations where you want to inspect the headers yourself:

A new landing page is going live. Verify that the redirect chain is short (one 301 max) and that HSTS, CSP and X-Content-Type-Options are in place before marketing pushes the URL.
Your site got a B on securityheaders.com. Use the breakdown to see exactly which two headers cost you the upgrade to A, and copy the recommended lines into nginx.
Caching behaves weirdly. Inspect Cache-Control, ETag, Last-Modified, Vary on the final hop. If you see `Cache-Control: no-store` where you expected `max-age=3600`, you know the CDN/origin is stripping headers.
CORS errors in the browser. Check Access-Control-Allow-Origin / -Methods / -Headers / -Credentials on the failing endpoint. The inspector shows the exact server values, no DevTools acrobatics.
Suspicious redirect. Some marketing tools chain 4 to 5 redirects through tracking domains. The hop list shows you each step and the per-hop timing, so you can spot the slow one.
CDN debugging. Compare headers on origin vs CDN edge. Different X-Cache, Age, Server, Via values tell you whether the CDN is serving from cache or pulling fresh.
Compliance audit. A security checklist requires HSTS preload, no X-Powered-By and Permissions-Policy. The inspector confirms or denies each item with a copyable recommendation.

Questions and answers

HTTP Headers Inspector

What does the HTTP headers inspector show?

How to use it

When this is useful

Questions and answers

Related tools

SSL Certificate Inspector

OpenGraph / Twitter Card Preview

HTTP request tester

HTTP/2 + HTTP/3 + QUIC Detector

Cloud Provider / CDN Detector

HTTP Headers Inspector

What does the HTTP headers inspector show?

How to use it

When this is useful

Questions and answers

Related tools

SSL Certificate Inspector

OpenGraph / Twitter Card Preview

HTTP request tester

HTTP/2 + HTTP/3 + QUIC Detector

Cloud Provider / CDN Detector