Tool
HTTP Header Checker
An HTTP header checker shows the headers your website actually sends to a browser.
What The Checker Looks For
HeaderCheckr requests the target site, follows safe redirects, reads the final response headers, and grades the security headers it finds.
The scan highlights missing headers and gives copy-ready starting values you can adapt for your server, CDN, or framework.
Why It Matters
Headers often change between local, staging, and production because CDNs and hosts add their own rules.
Checking the live response helps you verify what users and search crawlers actually receive.
Examples
Use the checker after enabling HSTS to confirm the final HTTPS response includes it.
Use raw headers when a CDN rule seems active but the browser-facing response says otherwise.
How To Read The Results
A missing header is not always a critical issue, but it is a useful signal. A public login page, checkout page, or admin area should have a stricter baseline than a simple static page.
Use the raw headers and JSON output when you need to compare environments, debug CDN behavior, or share results with another developer.
Common questions
Why do my headers differ between environments?
Headers are often added by proxies, hosting platforms, and CDNs. Check production directly when you want to verify the real browser-facing response.
Does HeaderCheckr store my scans?
The current implementation performs live scans and does not require an account. Long-term storage is not part of the product.
Can I scan a path instead of a domain?
The current result page scans the domain root. Use the API for direct URL checks when that workflow is enabled.
Why does HEAD differ from GET?
Some servers treat HEAD and GET differently. HeaderCheckr falls back to GET when HEAD is blocked.
Should APIs send security headers?
APIs used by browsers should still send useful headers such as nosniff and a referrer policy.