HTTP Headers Checker
Analyze HTTP headers, status codes, and server responses instantly. Perfect for debugging, SEO analysis, and security audits
HTTP Header Check
Enter any website URL below:
Checking... Please wait ⏳
How to Use
- Enter URL: Type or paste any website URL in the input field above (e.g., https://example.com)
- Click Check Headers: Press the "Check Headers" button to analyze the website
- View Results: The tool will display:
- Complete list of HTTP response headers
- Security header analysis with recommendations
- Status codes and server information
- Security Analysis: Check which security headers are present or missing for better website protection
- API Access: Use our API endpoint for programmatic access (see API documentation below)
💡 Pro Tip: Use this tool for SEO analysis, security audits, debugging server configurations, and checking CORS settings.
100 Most Common HTTP Response Headers
Complete reference guide for HTTP response headers based on real-world usage statistics.
| Count | HTTP Header | Description |
|---|---|---|
| 834,082 | Content-Type | Denotes the type of media |
| 833,384 | Date | Date and Time from the response |
| 786,517 | Server | Information about the Server Software |
| 753,241 | Set-Cookie | Assigns cookies from Server to Client |
| 714,923 | Connection | Controls network connection |
| 706,267 | Content-Encoding | Specifies compression type |
| 628,732 | Vary | Details how to determine if cache can be used rather than a new response from server |
| 518,756 | Cache-Control | Details caching options in requests and responses |
| 501,318 | Transfer-Encoding | Encoding to be used for transfer of data |
| 368,014 | Expires | Specifies when the response becomes "stale" |
| 334,063 | Content-Length | Size of resource in number of bytes |
| 307,086 | X-Powered-By | Hosting and Backend Server Frameworks may use this. Can reveal sensitive information (version and software). |
| 298,609 | Link | Serialising one or more links in HTTP headers |
| 235,691 | Pragma | Related to caching, may be implemented in different ways. |
| 226,452 | Keep-Alive | Specifies how long a persistent connection stays open |
| 208,912 | Last-Modified | Last modification date of resource. Used for caching. |
| 157,980 | X-Content-Type-Options | Disables MIME Sniffing and forces browser to use type shown in Content-Type |
| 128,658 | CF-RAY | CloudFlare Header. A hashed value encoding information about the data center and the request. |
| 128,187 | ETag | Cache Validation Tag. Also used for tracking users with cookies disabled. |
| 127,715 | X-Frame-Options | Specifies whether browser should show page in an iFrame |
| 126,487 | CF-Cache-Status | CloudFlare header shows whether a resource is cached |
| 122,831 | Accept-Ranges | Indicates server support for range requests |
| 119,876 | Strict-Transport-Security | Force communication to use HTTPS (not HTTP) |
| 118,843 | X-XSS-Protection | Enables Cross Site Scripting (XSS) filtering |
| 104,121 | Expect-CT | Reporting and enforcement of Certificate Transparency. Prevents the use of mis-issued certificates for the site. |
| 69,989 | X-Cache | Used by CDN's to specify whether resource in CDN cache matches server resource |
| 60,055 | set-cookie | Assigns cookies from Server to Client |
| 55,989 | Age | Time in seconds resource has been in proxy cache |
| 55,051 | Upgrade | One way to switch from HTTP to HTTPS |
| 49,089 | Content-Language | Describes the language(s) intended for the document |
| 42,722 | P3P | Privacy Protocol that was not widely adopted |
| 42,154 | Content-Security-Policy | Controls which resources the client can load for the page |
| 39,768 | Via | Added by proxies. Can be used for both forward and reverse proxies (requests & responses) |
| 37,745 | Alt-Svc | List other ways to access service |
| 32,840 | X-AspNet-Version | Specifies the version of ASP.NET being used |
| 30,872 | Access-Control-Allow-Origin | Details whether the response can be shared. |
| 30,672 | X-UA-Compatible | Compatibility header for old versions of Microsoft Internet Explorer (IE) and Edge |
| 29,572 | Referrer-Policy | Rules which referrer information sent in the referrer header is incorporated with requests |
| 25,911 | Report-To | Header used for adding troubleshooting information |
| 25,813 | NEL | An option for developers to set network error reporting. |
| 22,163 | X-Download-Options | Specific to IE8. Stops downloads opening directly in browser. |
| 20,996 | X-Permitted-Cross-Domain-Policies | Cross-domain policy file permissions |
| 19,013 | X-Proxy-Cache | Enable caching in NGINX reverse proxy |
| 18,618 | Etag | Used for HTTP Cache validation and conditional requests using If-Match and If-None-Match |
| 18,605 | X-Request-Id | Unique request ID that associates HTTP requests between a client and a server. |
| 17,921 | X-Cacheable | Non-standard header related to caching, use can vary between different proxy & cdn networks |
| 17,533 | X-Dc | Data center identifier |
| 17,528 | X-Sorting-Hat-PodId | Shopify Related |
| 17,526 | X-Shopify-Stage | Shopify Related |
| 17,371 | X-ShopId | Shopify Related |
| 17,367 | X-Sorting-Hat-ShopId | Shopify Related |
| 17,358 | X-ShardId | Shopify Related |
| 17,122 | X-Alternate-Cache-Key | Shopify Related |
| 12,610 | X-Cache-Hits | Data successfully located in cache memory |
| 12,322 | X-Varnish | ID of the current request and the ID of the request that populated the Varnish cache |
| 11,081 | X-Pass-Why | Provides reason for a 'MISS' result in the x-cache |
| 11,055 | X-Generator | Exposes information/meta data about the site such as version of software |
| 10,971 | X-Cache-Group | Tags the clients about the cache-group to which they belong |
| 10,806 | X-Powered-By-Plesk | Plesk Hosting Software |
| 10,672 | X-AspNetMvc-Version | Shows the version of the framework |
| 10,542 | X-Powered-CMS | Exposes name and version of CMS |
| 10,422 | X-Served-By | Caching related |
| 10,282 | expires | Contains the date/time after which the response object is considered stale |
| 10,198 | X-Amz-Cf-Pop | Amazon CloudFront |
| 10,086 | X-Amz-Cf-Id | Amazon CloudFront ID (CloudFront requires this information for debugging.) |
| 9,850 | X-Drupal-Cache | Indicates if request was served from Drupal Cache (Hit or Miss) |
| 9,469 | X-Xss-Protection | Internet explorer header compatibility filter for blocking XSS |
| 8,999 | Server-Timing | Conveys information for the request-response cycle |
| 8,825 | content-encoding | Header specifying compression (gzip / compress / deflates etc) |
| 8,787 | X-Timer | A "Fastly" header: end to end request timing information |
| 8,641 | X-Runtime | Reveals time application takes to serve a request |
| 8,601 | X-ac | WordPress.com related |
| 8,467 | Host-Header | Maybe same as "Host:" header? |
| 8,293 | Access-Control-Allow-Headers | CORS allowed headers |
| 8,238 | server | Info incl version on software used by server |
| 8,127 | date | Date and time message was sent |
| 7,676 | X-hacker | Recruitment 'ad' by automattic.com |
| 7,662 | Access-Control-Allow-Methods | CORS allowed HTTP methods |
| 7,523 | X-LiteSpeed-Cache | LiteSpeed cache header |
| 7,347 | X-Turbo-Charged-By | Added when CloudFlare is used |
| 6,763 | strict-transport-security | HSTS informs browser to use HTTPS not HTTP |
| 6,725 | etag | Identifies object (and version) for caching purposes |
| 6,431 | X-Robots-Tag | Allows you to choose content search engines can crawl on the site |
| 5,897 | X-Seen-By | Tracking header |
| 5,894 | X-Wix-Request-Id | Wix hosting request ID |
| 5,894 | x-contextid | Context identifier |
| 5,578 | X-Mod-Pagespeed | Module for apache (and nginx) to increase performance |
| 5,341 | X-Cache-Status | Cache status information |
| 5,339 | Status | Non-standard HTTP response status |
Non-Standard Headers
In the above table there are a significant number of HTTP Headers that have "X-" appended to the header. This denotes the header is non-standard. It is not a part of the HTTP standard but is often used by web servers, web applications, and caching systems to pass information between the server/application and the browser.
Examples: X-Powered-By, X-Frame-Options, X-Content-Type-Options, X-Cache, X-Request-Id
HTTP Header Check API
Use our API to programmatically check HTTP headers for any website.
API Endpoint
GET https://operatetools.com/http-headers-checker/check?url={URL}
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| url | string | Yes | The URL to check (with or without protocol) |
Response Format
{
"headers": {
"Content-Type": "text/html; charset=UTF-8",
"Server": "nginx/1.18.0",
"Cache-Control": "max-age=3600",
...
},
"security": [
true, // Strict-Transport-Security
false, // Content-Security-Policy
true, // X-Frame-Options
true, // X-Content-Type-Options
false, // Referrer-Policy
false // Permissions-Policy
]
}
Example Usage
JavaScript (Fetch API)
fetch('https://operatetools.com/http-headers-checker/check?url=https://example.com')
.then(response => response.json())
.then(data => {
console.log('Headers:', data.headers);
console.log('Security Analysis:', data.security);
})
.catch(error => console.error('Error:', error));
cURL
curl "https://operatetools.com/http-headers-checker/check?url=https://example.com"
Python
import requests
url = "https://operatetools.com/http-headers-checker/check"
params = {"url": "https://example.com"}
response = requests.get(url, params=params)
data = response.json()
print("Headers:", data["headers"])
print("Security Analysis:", data["security"])
Error Handling
If an error occurs, the API will return a JSON response with an error message:
{
"error": "Unable to retrieve headers."
}