Analysis Free · no signup

HTTP Headers Analyzer

Analyze HTTP response headers, security headers, cookies, and redirects.

Enter a URL and the HTTP Headers Analyzer fetches its response headers and highlights the security-critical ones — Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — alongside caching, compression, cookie flags, and the full redirect chain. You get an instant picture of how a server responds and where its security hardening has gaps. Built for developers and security engineers verifying configuration without opening browser devtools.

Updated Krawly Editorial TeamIn-house engineers, writers & reviewers

Example output

Pre-computed real result from running HTTP Headers Analyzer against https://krawly.io

Surfaces every response header a site sends — security headers, caching directives, server fingerprint, bot-protection signals, and detected CDN.

Server
nginx/1.24.0 (Ubuntu)
HSTS
max-age=31536000; includeSubDomains
X-Frame-Options
SAMEORIGIN
Content-Security-Policy
Not set
Referrer-Policy
strict-origin-when-cross-origin
Cache-Control
s-maxage=31536000

What this tells you: Run this on your own site as a security baseline — a missing HSTS or CSP header is the most common configuration gap and the easiest to fix.

↓ Run the tool below with your own input

Explore More Free Tools

Discover 150+ free tools for web scraping, SEO analysis, OSINT, and more. 30 free uses every day — no signup required.

150+ Free Tools No Signup Required JSON / CSV / Excel 30 Uses / Day
Quick answer

Enter a URL and the HTTP Headers Analyzer fetches its response headers and highlights the security-critical ones — Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — alongside caching, compression, cookie flags, and the full redirect chain. You get an instant picture of how a server responds and where its security hardening has gaps. Built for developers and security engineers verifying configuration without opening browser devtools.

What is HTTP Headers Analyzer?

The HTTP Headers Analyzer inspects the HTTP response headers returned by any URL, with a focus on the headers that govern security and behavior. It lists the complete response, then calls out security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy), examines cookie attributes (Secure, HttpOnly, SameSite, path, domain), reports caching and compression headers, and traces every hop in a redirect chain. It's a fast way for developers, DevOps, and security professionals to confirm that a server is sending the headers it should — and to spot the missing ones that leave a site open to XSS, clickjacking, and MIME-sniffing attacks.

How to use HTTP Headers Analyzer

  1. 1

    Enter the URL

    Paste the full URL including the scheme (https://example.com/page). The tool sends a real request and reports exactly what the server returns, including any redirects it follows to get there.

  2. 2

    Review the security headers

    Look for CSP, HSTS, and X-Frame-Options first — these block the most common attacks. A missing Content-Security-Policy or X-Frame-Options is the difference between being protected against XSS/clickjacking and being wide open.

  3. 3

    Inspect cookie flags

    Check that session cookies carry Secure, HttpOnly, and an appropriate SameSite value. A session cookie without HttpOnly can be stolen by JavaScript in an XSS attack; without Secure it can leak over plain HTTP.

  4. 4

    Trace the redirect chain

    Follow each hop from the first request to the final 200. Too many redirects slow the page and can leak referrer data; a redirect from HTTPS back to HTTP is a serious misconfiguration to fix.

Try it when you need to…

  • Try it when a security scanner flagged 'missing security headers' and you need to see exactly which ones are absent
  • Try it when a page won't stop redirecting or lands in a loop and you need to see every hop and status code
  • Try it when you set a security header in your config but aren't sure a CDN or reverse proxy is actually passing it through to the browser

Use cases

  • Security hardening — verify CSP, HSTS, and anti-clickjacking headers are present and correct
  • Cookie auditing — confirm session cookies use Secure, HttpOnly, and SameSite
  • Caching and performance — check Cache-Control, ETag, and compression headers
  • Debugging redirects — trace a multi-hop redirect chain to find loops or HTTPS downgrades
  • Post-deployment checks — confirm headers survived a server, proxy, or CDN configuration change

Key features

Complete HTTP response header listing
Security header analysis with pass/fail and recommendations
Cookie inspection (Secure, HttpOnly, SameSite, path, domain)
Full redirect chain tracing with status code at each hop
Caching and compression header reporting

Tips & best practices

HSTS only takes effect after the browser has visited over HTTPS once and cached the policy — the very first visit is unprotected. To close that gap, submit your domain to the HSTS preload list so browsers enforce HTTPS before the first request.

X-XSS-Protection is deprecated and ignored by modern browsers (Chrome removed it) — some header settings even introduce vulnerabilities. Don't rely on it; a strong Content-Security-Policy is the real XSS defense today.

SameSite=Lax is the modern browser default for cookies and blocks most CSRF via cross-site navigations. Use SameSite=Strict for sensitive session cookies, but note it also blocks the cookie when users arrive from an external link — which can log them out unexpectedly.

A CSP with 'unsafe-inline' in script-src largely defeats the purpose of CSP, since it re-permits the inline scripts XSS relies on. Move to nonces or hashes so you can drop 'unsafe-inline' entirely.

Frequently asked questions

Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy — the core headers that defend against XSS, clickjacking, MIME-sniffing, and information leakage.

CSP tells the browser which sources of scripts, styles, images, and other resources are allowed to load. A well-built policy blocks injected malicious scripts from running, making it the single most effective defense against cross-site scripting (XSS).

Both prevent your page from being embedded in an iframe on another site (clickjacking protection). X-Frame-Options is the older header with DENY/SAMEORIGIN options; CSP's frame-ancestors directive is the modern, more flexible replacement that lets you specify allowed origins. Set both for maximum browser coverage.

A plain HTTP-to-HTTPS redirect still exposes the first request to a man-in-the-middle attack. HSTS tells the browser to always use HTTPS for your domain automatically, eliminating that initial insecure request on every subsequent visit.

Yes. The tool traces the full redirect chain, showing the status code (301, 302, 307, etc.) and headers at each hop until it reaches the final response. This makes it easy to spot loops or an accidental HTTPS-to-HTTP downgrade.

HttpOnly prevents JavaScript from reading the cookie, so an XSS flaw can't steal the session token. Secure ensures the cookie is only sent over HTTPS, so it never leaks over an unencrypted connection. Together they are baseline protection for any authentication cookie.