Tool
HTTP Headers Inspector
See every response header a server sends — status code, redirect chain, security policy headers, cache settings, and more. Runs server-side through our SSRF-guarded proxy.
How it works
We send a GETrequest to the URL from our server, follow redirects safely (checking each hop for SSRF), and collect all response headers. The security header panel highlights the subset that directly affects your site's attack surface: CSP, HSTS, CORS, framing policy, and so on.
Missing security headers are called out explicitly so you can see at a glance what your site is not yet setting.
Related tools
Frequently asked
What is a Content-Security-Policy (CSP) header?
CSP tells the browser which sources it is allowed to load scripts, styles, images, and frames from. A missing or permissive CSP is the most common gateway for cross-site scripting (XSS) attacks. A strict CSP is one of the most impactful security improvements you can make.
What does Strict-Transport-Security (HSTS) do?
HSTS instructs browsers to always connect to your site over HTTPS, even if the user types http://. Without it, the first connection can be intercepted (SSL stripping). Once HSTS is seen, browsers cache it for the max-age duration.
Why does the tool show missing security headers?
Most servers do not set all security headers by default. Each missing header represents a potential attack vector — clickjacking (X-Frame-Options), MIME confusion (X-Content-Type-Options), referrer leakage (Referrer-Policy), and so on. The missing list is not a verdict that your site is insecure, just a checklist of easy wins.
Can I inspect internal or localhost addresses?
No — we block private IP ranges and internal hostnames (localhost, .local, .internal, 192.168.x.x, 10.x.x.x, etc.) to prevent server-side request forgery (SSRF). The tool is designed for publicly reachable URLs only.
Last reviewed