HTTP Header Checker
Learn about HTTP headers, security headers checklist and best practices
Essential Security Headers Checklist
Content-Type
Specifies the media type of the response body (e.g., HTML, JSON, image).
Best Practice: Always set charset=utf-8 for text content. Use correct MIME types.
Cache-Control
Directives for caching in both requests and responses. Controls how and for how long content is cached.
Best Practice: Use max-age for static assets. Set no-store for sensitive pages. Immutable for versioned assets.
X-Frame-Options
SecurityPrevents clickjacking by controlling whether the page can be framed.
Best Practice: Set to DENY or SAMEORIGIN. Use Content-Security-Policy frame-ancestors instead for modern browsers.
Content-Security-Policy
SecurityControls which resources the browser is allowed to load. Prevents XSS, data injection attacks.
Best Practice: Start with strict policy and relax as needed. Avoid 'unsafe-inline' and 'unsafe-eval'. Use nonces for inline scripts.
Strict-Transport-Security
SecurityForces browsers to use HTTPS for all future requests to this domain (HSTS).
Best Practice: Set max-age to at least 1 year. Include subdomains. Submit to HSTS preload list.
X-Content-Type-Options
SecurityPrevents MIME type sniffing. Browser won't guess content type.
Best Practice: Always set to 'nosniff'. Prevents browsers from executing files with wrong MIME type.
X-XSS-Protection
SecurityEnables browser's built-in XSS filtering (legacy, replaced by CSP).
Best Practice: Set to '0' and use CSP instead. Some modern browsers have deprecated this header.
Access-Control-Allow-Origin
SecurityCORS header that specifies which origins can access the resource.
Best Practice: Never use * for credentialed requests. Whitelist specific origins. Validate Origin header server-side.
Access-Control-Allow-Methods
Specifies which HTTP methods are allowed in CORS preflight.
Best Practice: Only allow methods you actually need. Don't include DELETE/PUT unless necessary.
Referrer-Policy
SecurityControls how much referrer information is sent with requests.
Best Practice: Use strict-origin-when-cross-origin or no-referrer for privacy. Avoid unsafe-url.
Permissions-Policy
SecurityControls which browser features the page can use (camera, mic, geolocation, etc.).
Best Practice: Disable features you don't use. Restrict to self for features you need.
Set-Cookie
SecuritySends a cookie from the server to the browser for session tracking.
Best Practice: Always use Secure, HttpOnly, SameSite flags. Set appropriate expiry. Don't store sensitive data.
ETag
Unique identifier for a specific version of a resource. Used for caching validation.
Best Practice: Use weak ETags for dynamic content. Strong ETags for static files. Combine with Cache-Control.
X-Powered-By
SecurityReveals the server technology (Express, PHP, ASP.NET, etc.).
Best Practice: REMOVE this header in production. It reveals server technology to attackers.
Server
SecurityReveals the web server software being used.
Best Practice: Remove or obscure version info. Set to generic value in production.
About HTTP Header Checker
HTTP Header Checker is a free online tool available on SabTools.in. Learn about HTTP headers, security headers checklist and best practices. This tool is completely free to use, requires no signup, and works instantly in your browser. Your data stays private as all calculations happen on your device.
How to use HTTP Header Checker?
- Enter the required values in the input fields above
- The results will be calculated automatically in real-time
- You can copy or share the results as needed
Why use SabTools.in?
- 100% free โ no signup, no limits, no hidden fees
- Lightning fast โ runs instantly in your browser
- Privacy first โ your data never leaves your device
- Mobile friendly โ works on any phone, tablet or computer
- Made for India โ Indian number formats, GST, EMI & more