HTTP Headers Lookup Tool

Content-Security-Policy

Defines allowed sources for scripts, styles, images, and other resources, preventing XSS attacks. upgrade-insecure-requests forces HTTP resources to load via HTTPS. Modern security essential.

Strict-Transport-Security

Forces browsers to only connect via HTTPS. max-age=15552000 means 180 days. Prevents protocol downgrade attacks and cookie hijacking. Critical for HTTPS sites.

X-Frame-Options

SAMEORIGIN prevents your site from being embedded in iframes on other domains, protecting against clickjacking attacks where malicious sites overlay your content with fake interfaces.

X-Content-Type-Options

nosniff prevents browsers from MIME-type sniffing, ensuring browsers respect declared content types. Stops browsers from executing scripts disguised as images or other content types.

X-XSS-Protection

1; mode=block enables browser XSS filtering that blocks pages when attacks are detected. Legacy header (modern CSP is better) but still useful for older browsers.

Referrer-Policy

strict-origin-when-cross-origin controls what referrer information is sent with requests. Balances analytics needs with user privacy by limiting data shared with external sites.

Cache-Control

no-store, no-cache, must-revalidate prevents caching (for dynamic content). For static assets, directives like max-age=31536000 enable long-term caching for better performance.

Content-Encoding

gzip or br (Brotli) indicates compression is enabled, reducing file sizes by 70-80%. Essential for performance—uncompressed sites waste bandwidth and load slowly.

HTTP/2 or HTTP/3

Protocol version shown in status line. HTTP/2 and HTTP/3 offer multiplexing, header compression, and server push for significantly better performance than HTTP/1.1. Modern sites should use HTTP/2 minimum.

Alt-Svc

h3=":443" advertises HTTP/3 (QUIC) support. Browsers that support HTTP/3 will use it for subsequent requests, providing even better performance than HTTP/2.

Server

Identifies server software. cloudflare indicates CDN usage. nginx, Apache, or custom servers reveal infrastructure. Some hide this for security (security through obscurity).

CF-Ray / X-Amz-Cf-Id

CDN-specific identifiers. CF-Ray is Cloudflare's request ID, useful for troubleshooting with support. AWS CloudFront uses X-Amz-Cf-Id. Helps trace requests through CDN infrastructure.

X-Turbo-Charged-By

Technology-specific headers like LiteSpeed, or X-Powered-By: PHP reveal backend technologies. Often removed for security to avoid exposing tech stack to attackers.

Set-Cookie

Creates browser cookies. Secure ensures HTTPS-only transmission. SameSite=Lax protects against CSRF attacks. HttpOnly prevents JavaScript access (not shown in example).

What are HTTP headers and why are they important?

HTTP headers are metadata fields sent between web browsers and servers with every request and response. They contain critical information about content types, encoding, security policies, caching directives, cookies, authentication, and server configuration. While invisible to users, headers fundamentally control how browsers handle content, enforce security measures, optimize performance through caching, enable compression, manage sessions via cookies, and facilitate proper content rendering. Properly configured headers are essential for security (preventing attacks), performance (enabling caching and compression), functionality (CORS for APIs), and SEO (proper redirects and canonical URLs). Misconfigured or missing headers can result in security vulnerabilities, slow performance, broken functionality, and poor search rankings. Modern web development requires understanding and optimizing HTTP headers as part of best practices.

Which security headers are absolutely essential?

At minimum, every modern website should implement: Strict-Transport-Security (HSTS) to force HTTPS connections; Content-Security-Policy (CSP) to prevent XSS attacks by controlling resource sources; X-Frame-Options or Content-Security-Policy: frame-ancestors to prevent clickjacking; X-Content-Type-Options: nosniff to prevent MIME-sniffing attacks; and Referrer-Policy to control referrer information leakage. Additionally, consider Permissions-Policy to control browser features, and proper Set-Cookie attributes (Secure, HttpOnly, SameSite) for cookie security. These headers form your first line of defense against common web attacks. Security scanners (like Mozilla Observatory) and compliance requirements increasingly expect these headers. Start with basic implementations and strengthen policies as you understand their impact on your site's functionality.

How do I add or modify HTTP headers?

Methods vary by infrastructure. Apache: Use .htaccess or server config with Header directives (requires mod_headers). Nginx: Add headers in server or location blocks with add_header directive. IIS: Configure in web.config or IIS Manager. CDN: Most CDNs (Cloudflare, AWS CloudFront, Fastly) offer header modification via dashboards or edge workers. Application-level: Many frameworks (Laravel, Express, Django) allow header setting in code. Cloud platforms: Netlify, Vercel, AWS Amplify provide configuration files for headers. For testing, start with non-critical headers and verify they appear before deploying critical security policies. Some headers (like CSP) can break functionality if misconfigured, so test thoroughly in development environments first. Always verify changes with tools like ours after deployment.

What's the difference between HTTP/1.1, HTTP/2, and HTTP/3?

HTTP/1.1 (1997) processes one request per connection, requiring multiple connections for parallel downloads, leading to overhead and latency. HTTP/2 (2015) introduces multiplexing (many requests over one connection), header compression, and server push, dramatically improving performance—typically 20-50% faster page loads. HTTP/3 (2022) uses QUIC protocol over UDP instead of TCP, eliminating head-of-line blocking, faster connection establishment, and better mobile performance. Modern sites should use HTTP/2 minimum, with HTTP/3 for cutting-edge performance. Benefits are automatic once enabled—no code changes needed. Users see faster page loads, reduced bandwidth usage, and better mobile experience. Enable HTTP/2 on your server or use a CDN that supports it. Most major CDNs now support HTTP/3 as well. Check the status line in header responses to verify your protocol version.

Why does my site show different headers than competitors?

Header configurations vary based on server software, hosting provider, CDN, security requirements, and developer decisions. No two sites are identical. Some sites prioritize security with strict CSP policies and numerous security headers, while others prioritize compatibility with minimal restrictions. Enterprise sites often have more headers due to compliance requirements, monitoring systems, and complex infrastructure. Budget hosts may provide fewer optimization headers compared to premium hosting or CDNs. Technology choices matter—sites using Cloudflare will have CF-specific headers, AWS sites show X-Amz headers, etc. Older sites may lack modern security headers due to legacy configuration. What matters is not matching competitors exactly but implementing headers appropriate for your needs: proper security, optimal caching for your content update frequency, and compression for performance.

Can HTTP headers improve my SEO?

Indirectly, yes. While headers aren't direct ranking factors, they significantly impact metrics Google cares about. Performance headers: Proper caching and compression improve page speed, a confirmed ranking factor. Security headers: HTTPS enforcement via HSTS contributes to the HTTPS ranking boost. Mobile optimization: Compression and HTTP/2 improve mobile experience, critical for mobile-first indexing. Redirect headers: Proper 301/302 usage preserves SEO value during migrations. Canonical headers: Link rel=canonical in headers helps manage duplicate content. Hreflang headers: Language targeting for international SEO. Additionally, security headers prevent site hacks that could result in Google blacklisting. Fast, secure, properly-configured sites rank better, and headers are fundamental to achieving that. Focus on performance (caching, compression, HTTP/2) and security headers as part of comprehensive SEO strategy.

Should I remove headers that reveal my technology stack?

Generally yes, though it's "security through obscurity" and not a substitute for actual security. Headers like Server, X-Powered-By, and X-Generator reveal server software and versions that attackers can use to target known vulnerabilities. Removing these headers makes automated vulnerability scanning slightly harder. However, determined attackers can still fingerprint your stack through other means (behavior, timing, error messages). The real security comes from keeping software updated, proper configuration, and security headers. That said, there's no benefit to advertising your technology, so removal is good practice. Remove via server config: Apache's ServerTokens Prod, Nginx's server_tokens off, or application-level header removal. Most CDNs replace your Server header with their own anyway. Focus more on implementing proper security headers (CSP, HSTS, etc.) than on hiding your server name—actual security measures matter far more than obscurity.

How often should I check my HTTP headers?

Check headers after any significant changes: server migrations, CDN implementation or changes, security policy updates, caching configuration modifications, SSL certificate renewals, or application deployments that might affect headers. For production sites, quarterly reviews ensure headers remain properly configured and aligned with evolving best practices. After major browser updates, verify your security headers remain effective (browsers occasionally change CSP or other header interpretations). Use automated monitoring if possible—some security tools continuously check header configuration. For development, verify headers in staging before production deployment. When troubleshooting performance or security issues, headers should be among the first things checked. If you're using a CDN or managed hosting, they sometimes update configurations, so periodic verification ensures nothing broke. Set calendar reminders for quarterly header audits as part of routine site maintenance, just like checking backups or reviewing analytics.