Skip to content
Kordu Tools Kordu Tools

HTTP Headers Viewer

Check what HTTP response headers any URL returns. Inspect security headers, follow redirect chains, and get a security grade.

Last updated 08 Apr 2026

Fetch any URL's HTTP response headers without CORS restrictions. Inspect all headers, follow redirect chains, and get a security grade based on the presence of HSTS, CSP, X-Content-Type-Options, and other security headers.

Method
Loading rating…

How to use

  1. 1

    Enter a URL

    Type or paste any http:// or https:// URL into the input field. Bare domains like example.com are automatically prefixed with https://.

  2. 2

    Choose options

    Select HEAD (default, faster) or GET. Enable Follow Redirects to see the full redirect chain with headers at each step.

  3. 3

    Click Check

    The tool fetches the URL from the server side and returns all response headers, bypassing any CORS restrictions.

  4. 4

    Review headers and security grade

    Inspect all response headers and the security analysis — a letter grade based on the presence of HSTS, CSP, X-Content-Type-Options, and other security headers.

Frequently asked questions

Why does this need to be server-side?
Browsers enforce CORS (Cross-Origin Resource Sharing) restrictions that prevent JavaScript from reading response headers from arbitrary URLs. This tool uses a server-side proxy to fetch the URL without CORS restrictions, then returns the headers to your browser.
What is the security grade based on?
The grade is calculated from a 100-point score. Points are deducted for missing security headers: HSTS (-25 for HTTPS sites), Content-Security-Policy (-25), X-Content-Type-Options (-10), X-Frame-Options (-10), Referrer-Policy (-5), Permissions-Policy (-5). X-Powered-By being present also deducts 5 points.
What is HSTS?
HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS for a domain, even if a user types http://. It prevents protocol downgrade attacks. The header looks like: Strict-Transport-Security: max-age=31536000; includeSubDomains.
What is the difference between HEAD and GET requests?
HEAD requests ask the server for headers only — the response body is not sent. GET requests download the full response, which can be large. Use HEAD (the default) for quick header checks. Some servers return different headers for HEAD vs GET, so switch to GET if you're not seeing expected headers.
Why are redirect chains shown?
Many sites redirect HTTP to HTTPS, or www to non-www. Seeing the full chain confirms that redirects are happening as expected — for example, that http://example.com redirects to https://example.com before serving content.
Why is X-Powered-By a security concern?
X-Powered-By reveals server technology (like PHP/7.4 or Express). Attackers can use this to target known vulnerabilities in that technology version. Best practice is to remove or suppress this header.
Are results cached?
Yes, results are cached for 5 minutes. This avoids hammering the target server with repeated requests while keeping results fresh enough for debugging.
Is any data stored?
Only the response headers are cached for 5 minutes on Cloudflare's edge to avoid redundant requests. No personal data is stored. The cache is keyed by URL.

HTTP Headers Viewer fetches any URL and shows all HTTP response headers —

the metadata your browser normally processes silently. This is a server-side

proxy so there are no CORS restrictions: you can inspect headers from any

domain, not just those that allow cross-origin requests.

The tool follows redirect chains and shows the full path: which URLs redirected

to which, with the status code and response headers at each step. This is useful

for debugging canonical redirects, HTTPS enforcement, or unexpected redirect loops.

The security analysis grades the final URL's headers on a 100-point scale,

checking for the most impactful security headers: HSTS (prevents protocol

downgrade attacks), Content-Security-Policy (prevents XSS), X-Content-Type-Options

(prevents MIME sniffing), X-Frame-Options (prevents clickjacking), and others.

Each missing header comes with a specific recommendation.

Use HEAD requests (the default) for fast header-only checks — no response body

is downloaded. Switch to GET if a server returns different headers for HEAD vs GET

requests (uncommon but it happens).

Related tools

SSL Certificate Checker

Check SSL/TLS certificate validity, issuer, expiry, and SANs for any domain via Certificate Transparency logs.

DNS Lookup

Query all DNS record types for any domain — A, AAAA, MX, TXT, CNAME, NS, SOA, CAA — via Cloudflare DoH.

WHOIS Lookup

Look up domain registration details — registrar, creation/expiry dates, nameservers, and DNSSEC — via RDAP.

Curl to JavaScript Fetch Converter

Convert curl commands to JavaScript fetch API code instantly. Supports all common flags: headers, POST data, auth, form data, and more.

Webhook Tester

Get a temporary webhook URL and inspect incoming requests in real time. See headers, body, query params, and get a cURL replay command.