Using an HTTP Header Checker to Audit Your Site
Learn how to use an HTTP Header Checker to audit response headers, security headers, cache rules, cookies, redirects, CDN behavior and website issues.
Introduction
An HTTP Header Checker shows the response headers returned by a website before the page content loads. Headers can reveal important technical details such as status code, redirects, content type, cache rules, security policies, cookies, server/CDN behavior and HTTPS handling.
Auditing headers helps you find problems that are not always visible in the browser. A page may look normal but still have weak security headers, incorrect cache settings, bad redirects, missing content type, exposed server details or inconsistent CDN/origin behavior.
Quick answer
Use an HTTP Header Checker to inspect a URL’s response status, redirects, security headers, cache-control rules, cookies, content type, compression, CDN headers and server signals. Check the final HTTPS response, not only the first redirect.
HTTP header checker
An HTTP header checker is a tool that requests a URL and displays the response headers sent by the server, CDN, proxy or application.
It can show:
- HTTP status code
- redirect location
- content type
- cache rules
- security headers
- cookies
- server/CDN hints
- compression
- CORS headers
- final response after redirects
Headers help explain how the site behaves technically before the browser renders the page.
What headers reveal
Status and availability
Whether the URL returns 200, 301, 404, 500 or another status.
Redirect behavior
Where the URL redirects and whether the final destination is correct.
Security posture
Whether browser security headers are present.
Caching behavior
Whether pages and assets are cached correctly.
Content type
Whether the server declares HTML, CSS, JavaScript, images or files correctly.
Cookies
Whether cookies use Secure, HttpOnly and SameSite attributes.
CDN/proxy layer
Whether the response comes from origin, CDN cache or edge server.
Compression
Whether gzip, Brotli or other compression is active.
Headers to check
During a basic website audit, review these header groups.
Response and redirects
status code, location, final URL, server timing if available
Security
Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Caching
Cache-Control, Expires, ETag, Last-Modified, Age
Content
Content-Type, Content-Encoding, Content-Length, Vary
Cookies
Set-Cookie, Secure, HttpOnly, SameSite
CDN/proxy
CF-Cache-Status, X-Cache, Via, Server, X-Served-By
Not every website needs every header, but unexpected missing or conflicting headers should be reviewed.
Final response
Many URLs return a redirect first. For example, HTTP may redirect to HTTPS, or non-www may redirect to www.
Audit both:
- the first response
- every redirect step
- the final response
Security, cache and content headers should be checked on the final page that users actually load.
A header checker that follows redirects is more useful than one that only shows the first response.
Security audit
Security headers help browsers apply safer behavior.
- Content-Security-Policy exists and does not break resources
- Strict-Transport-Security is present only when HTTPS is ready
- X-Frame-Options or frame-ancestors protects against unwanted framing
- X-Content-Type-Options is set to nosniff
- Referrer-Policy limits referrer leakage
- Permissions-Policy disables unused browser features
Do not add strict CSP or long HSTS blindly. Test carefully before enforcing.
Cache audit
Cache headers control how browsers and CDNs store responses.
- HTML pages are not cached too aggressively if content changes often
- static assets can use longer cache times
- private pages are not publicly cached
- CDN cache headers match your intended behavior
- cache-control does not conflict with expires
- vary headers are reasonable
Common examples:
- Cache-Control: no-cache
- Cache-Control: public, max-age=31536000, immutable
- Cache-Control: private, no-store
Bad cache headers can cause outdated pages, stale assets, privacy issues or poor performance.
Why this matters
HTTP headers matter because they control browser behavior, caching, redirects, security protections, cookies and CDN handling. Many website problems are visible in headers before they are visible in the page design.
Header audits are useful after migrations, SSL changes, CDN changes, security hardening, performance work and troubleshooting redirects or downtime.
How to audit headers
Use HTTP Header Checker to inspect the exact URL you want to audit.
Check in this order:
- Exact URL — Test the homepage and important pages separately.
- Redirects — Check HTTP to HTTPS and www/non-www behavior.
- Final status — Confirm the final URL returns the expected status.
- Security headers — Review CSP, HSTS, frame protection, nosniff, referrer and permissions policy.
- Cache headers — Check cache-control, expires, ETag and CDN cache status.
- Content headers — Review content-type and content-encoding.
- Cookies — Check Set-Cookie flags.
- CDN/origin headers — Identify whether the response is from CDN cache, edge or origin.
Audit your headers
Use HTTP Header Checker to inspect the exact URL you want to audit.
Common problems
Security headers missing
MediumThe browser receives no clear security policy for common protections.
Next step: Add low-risk headers first, then test CSP and HSTS carefully.
Headers only appear on redirects
MediumSecurity or cache headers are present on a redirect but missing on the final page.
Next step: Audit the final response after redirects.
Cache-Control too aggressive
MediumHTML pages or dynamic content may be cached longer than intended.
Next step: Adjust cache rules by content type and route.
Private content cached publicly
HighPersonalized or account pages may be stored by shared caches.
Next step: Use private, no-store or appropriate authenticated-page cache rules.
Cookie missing Secure or HttpOnly
HighSession cookies may be exposed to avoidable risks.
Next step: Add Secure and HttpOnly where appropriate.
Wrong Content-Type
MediumFiles may be interpreted incorrectly by browsers.
Next step: Set correct MIME types for HTML, CSS, JS, images and downloads.
Conflicting CDN and origin headers
MediumCDN and origin send inconsistent cache or security rules.
Next step: Choose whether headers are controlled at CDN, origin or both.
Server details exposed
LowHeaders may reveal unnecessary server or framework details.
Next step: Reduce exposed version information where possible.
Missing compression
LowText responses may be larger than necessary.
Next step: Enable gzip or Brotli for supported text assets.
How to fix issues
-
Step 1: Audit the final HTTPS response
Follow redirects and review the final page users load.
-
Step 2: Separate header types
Group findings into redirects, security, cache, cookies, content and CDN behavior.
-
Step 3: Fix high-risk items first
Prioritize private cache leaks, broken cookies, bad redirects and missing critical protections.
-
Step 4: Add low-risk security headers
Start with nosniff, referrer policy, frame protection and permissions policy.
-
Step 5: Test CSP and HSTS carefully
Use report-only CSP where possible and confirm HTTPS readiness before strict HSTS.
-
Step 6: Clean cache rules
Use different rules for HTML, static assets, private pages and API responses.
-
Step 7: Review cookies
Add Secure, HttpOnly and SameSite where appropriate.
-
Step 8: Check CDN/origin consistency
Avoid duplicate or conflicting headers from multiple layers.
-
Step 9: Re-test after deployment
Run the checker again and test important user flows.
When a CDN is used, headers may be added, removed or overwritten at the edge.
- origin sets one cache rule, CDN applies another
- duplicate security headers
- HSTS added at CDN but not origin
- CSP differs between cached and uncached pages
- cookies affect CDN cache behavior
- CDN hides origin server headers
- cache status differs by region
Decide where each header should be managed. For many sites, CDN-managed response headers are easier to apply globally, but origin rules still matter.
Check headers:
curl -I https://example.com
Follow redirects:
curl -IL http://example.com
Example final response:
HTTP/2 200
content-type: text/html; charset=UTF-8
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
x-frame-options: SAMEORIGIN
set-cookie: session=abc; Secure; HttpOnly; SameSite=Lax
What to review:
- final status is 200
- HTTPS is active
- security headers are present
- session cookie has Secure, HttpOnly and SameSite
- cache rule is appropriate for HTML
Examples are illustrative. Header needs vary by site type, framework, CDN and hosting setup.
Header checklist
Basic
Start with response behavior and content delivery.
Final URL returns expected status
Confirm the page loads with the correct HTTP status.
Redirects are clean
Check for loops, long chains and correct destinations.
HTTPS is used
Confirm the final response is served over HTTPS.
Content-Type is correct
Verify MIME types for HTML, assets and downloads.
Security
Review browser-side protection headers.
X-Content-Type-Options
Should usually be nosniff.
Referrer-Policy
Limits referrer information sent to other sites.
X-Frame-Options or frame-ancestors
Protects against unwanted framing.
Content-Security-Policy
Controls allowed scripts, styles and resources.
Strict-Transport-Security
Present only when HTTPS is ready across affected hosts.
Permissions-Policy
Restricts unused browser features.
Caching
Confirm cache rules match content type and privacy needs.
Cache-Control
Primary cache directive for browsers and CDNs.
Expires
Should not conflict with Cache-Control.
ETag
Helps with conditional requests and revalidation.
Last-Modified
Useful for cache validation on static assets.
CDN cache status
Check hit, miss, bypass or dynamic behavior.
Cookies
Review session and tracking cookie flags.
Secure
Cookies should be sent only over HTTPS where required.
HttpOnly
Helps protect session cookies from client-side script access.
SameSite
Reduces some cross-site cookie risks.
Correct domain/path
Scope cookies appropriately for the application.
CDN/origin
Compare edge and origin header behavior.
Cache hit/miss
Understand whether the response came from cache.
Origin response headers
Compare what the origin sends versus the edge.
Duplicate headers
Look for conflicting values from multiple layers.
Server/proxy indicators
Note Server, Via, X-Served-By and similar headers.
Frequently asked questions
What is an HTTP header checker?
It shows the response headers returned by a URL, including status, redirects, cache, security and cookie information.
Should I check the first response or final response?
Both. The final response is usually most important because it is the page users load.
Can headers affect security?
Yes. Security headers can reduce risks like clickjacking, MIME sniffing and unsafe browser behavior.
Can headers affect performance?
Yes. Cache and compression headers can influence loading speed and CDN behavior.
Can headers break a site?
Yes. Strict CSP, HSTS or cache rules can break functionality if applied without testing.
Where are headers configured?
They may be configured in the web server, CDN, hosting panel, application framework or plugin.
How often should I audit headers?
Audit after migrations, CDN changes, SSL changes, security updates and major deployments.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Website Health guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!