Why can this tool not fetch live headers directly?

Browsers enforce CORS (Cross-Origin Resource Sharing), which prevents client-side JavaScript from reading raw response headers from arbitrary URLs. Use the generated curl command in your terminal to inspect real headers.

What is the most important security header to add?

Strict-Transport-Security (HSTS) is widely considered the highest-priority header because it prevents protocol-downgrade attacks. Content-Security-Policy (CSP) is the most powerful but also the most complex to configure correctly.

What does a missing X-Frame-Options header mean?

Without X-Frame-Options or an equivalent CSP frame-ancestors directive, your page can be embedded in an iframe on any site, enabling clickjacking attacks where a malicious page tricks users into clicking hidden elements.

How do I add security headers in Nginx?

Add the header directives inside your server {} or location {} block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Each header requires its own add_header line.

What is the difference between Cache-Control and Expires?

Cache-Control is the modern HTTP/1.1 directive and takes precedence. Expires is the older HTTP/1.0 equivalent and is only used as a fallback when Cache-Control is absent. Prefer Cache-Control for all new configurations.

What does "no-store" vs "no-cache" mean in Cache-Control?

no-store tells the browser and all intermediaries never to store a copy of the response. no-cache allows storage but requires revalidation with the server before serving the cached copy.

HTTP Header Checker

Name: HTTP Header Checker
Availability: InStock
Author: Nham Vu

Look up any HTTP response header, understand what it does, see recommended values, and generate a ready-to-run curl command.

Header	Category	Summary	Risk

curl Command Generator

Enter a URL to generate a curl command that prints only the response headers. Run it in your terminal.

Generated command

Summary

Look up any HTTP response header, understand what it does, see recommended values, and generate a ready-to-run curl command.

How it works

Browse or search the header table to find the header you need.
Filter by category (Security, Caching, Content, CORS, Transport) to narrow results.
Click any row to expand a full explanation with recommended values.
Enter a URL in the curl generator and copy the ready-to-run command.
Paste the curl output into the header lookup to decode unfamiliar values.

Use cases

Audit a website for missing security headers before launch.
Generate a curl command to inspect live headers without leaving the browser.
Look up an unfamiliar header returned by a third-party API.
Learn which headers to add to an Nginx or Apache config.
Verify that HSTS, CSP, and X-Frame-Options are set correctly.
Check whether a CDN is stripping or modifying cache headers.
Prepare for a security review or penetration test.
Train junior developers on HTTP fundamentals.

Frequently Asked Questions

Last updated: 2026-06-11 · Reviewed by Nham Vu