Website Health Guides

Using an HTTP Header Checker to Audit Your Site

Learn how to use an HTTP Header Checker to audit response headers, security headers, cache rules, cookies, redirects, CDN behavior and website issues.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

An HTTP Header Checker shows the response headers returned by a website before the page content loads. Headers can reveal important technical details such as status code, redirects, content type, cache rules, security policies, cookies, server/CDN behavior and HTTPS handling.

Auditing headers helps you find problems that are not always visible in the browser. A page may look normal but still have weak security headers, incorrect cache settings, bad redirects, missing content type, exposed server details or inconsistent CDN/origin behavior.

Quick answer

Quick answer

Use an HTTP Header Checker to inspect a URL’s response status, redirects, security headers, cache-control rules, cookies, content type, compression, CDN headers and server signals. Check the final HTTPS response, not only the first redirect.

HTTP header checker

An HTTP header checker is a tool that requests a URL and displays the response headers sent by the server, CDN, proxy or application.

It can show:

  • HTTP status code
  • redirect location
  • content type
  • cache rules
  • security headers
  • cookies
  • server/CDN hints
  • compression
  • CORS headers
  • final response after redirects

Headers help explain how the site behaves technically before the browser renders the page.

What headers reveal

Status and availability

Whether the URL returns 200, 301, 404, 500 or another status.

Redirect behavior

Where the URL redirects and whether the final destination is correct.

Security posture

Whether browser security headers are present.

Caching behavior

Whether pages and assets are cached correctly.

Content type

Whether the server declares HTML, CSS, JavaScript, images or files correctly.

Cookies

Whether cookies use Secure, HttpOnly and SameSite attributes.

CDN/proxy layer

Whether the response comes from origin, CDN cache or edge server.

Compression

Whether gzip, Brotli or other compression is active.

Headers to check

During a basic website audit, review these header groups.

Response and redirects

status code, location, final URL, server timing if available

Security

Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy

Caching

Cache-Control, Expires, ETag, Last-Modified, Age

Content

Content-Type, Content-Encoding, Content-Length, Vary

Cookies

Set-Cookie, Secure, HttpOnly, SameSite

CDN/proxy

CF-Cache-Status, X-Cache, Via, Server, X-Served-By

Not every website needs every header, but unexpected missing or conflicting headers should be reviewed.

Final response

Many URLs return a redirect first. For example, HTTP may redirect to HTTPS, or non-www may redirect to www.

Audit both:

  • the first response
  • every redirect step
  • the final response

Security, cache and content headers should be checked on the final page that users actually load.

A header checker that follows redirects is more useful than one that only shows the first response.

Security audit

Security headers help browsers apply safer behavior.

  • Content-Security-Policy exists and does not break resources
  • Strict-Transport-Security is present only when HTTPS is ready
  • X-Frame-Options or frame-ancestors protects against unwanted framing
  • X-Content-Type-Options is set to nosniff
  • Referrer-Policy limits referrer leakage
  • Permissions-Policy disables unused browser features

Do not add strict CSP or long HSTS blindly. Test carefully before enforcing.

Cache audit

Cache headers control how browsers and CDNs store responses.

  • HTML pages are not cached too aggressively if content changes often
  • static assets can use longer cache times
  • private pages are not publicly cached
  • CDN cache headers match your intended behavior
  • cache-control does not conflict with expires
  • vary headers are reasonable

Common examples:

  • Cache-Control: no-cache
  • Cache-Control: public, max-age=31536000, immutable
  • Cache-Control: private, no-store

Bad cache headers can cause outdated pages, stale assets, privacy issues or poor performance.

Why this matters

Why this matters

HTTP headers matter because they control browser behavior, caching, redirects, security protections, cookies and CDN handling. Many website problems are visible in headers before they are visible in the page design.

Header audits are useful after migrations, SSL changes, CDN changes, security hardening, performance work and troubleshooting redirects or downtime.

How to audit headers

Use HTTP Header Checker to inspect the exact URL you want to audit.

Check in this order:

  1. Exact URL — Test the homepage and important pages separately.
  2. Redirects — Check HTTP to HTTPS and www/non-www behavior.
  3. Final status — Confirm the final URL returns the expected status.
  4. Security headers — Review CSP, HSTS, frame protection, nosniff, referrer and permissions policy.
  5. Cache headers — Check cache-control, expires, ETag and CDN cache status.
  6. Content headers — Review content-type and content-encoding.
  7. Cookies — Check Set-Cookie flags.
  8. CDN/origin headers — Identify whether the response is from CDN cache, edge or origin.

Audit your headers

Use HTTP Header Checker to inspect the exact URL you want to audit.

Run HTTP Header Check →

Common problems

Security headers missing

Medium

The browser receives no clear security policy for common protections.

Next step: Add low-risk headers first, then test CSP and HSTS carefully.

Headers only appear on redirects

Medium

Security or cache headers are present on a redirect but missing on the final page.

Next step: Audit the final response after redirects.

Cache-Control too aggressive

Medium

HTML pages or dynamic content may be cached longer than intended.

Next step: Adjust cache rules by content type and route.

Private content cached publicly

High

Personalized or account pages may be stored by shared caches.

Next step: Use private, no-store or appropriate authenticated-page cache rules.

Cookie missing Secure or HttpOnly

High

Session cookies may be exposed to avoidable risks.

Next step: Add Secure and HttpOnly where appropriate.

Wrong Content-Type

Medium

Files may be interpreted incorrectly by browsers.

Next step: Set correct MIME types for HTML, CSS, JS, images and downloads.

Conflicting CDN and origin headers

Medium

CDN and origin send inconsistent cache or security rules.

Next step: Choose whether headers are controlled at CDN, origin or both.

Server details exposed

Low

Headers may reveal unnecessary server or framework details.

Next step: Reduce exposed version information where possible.

Missing compression

Low

Text responses may be larger than necessary.

Next step: Enable gzip or Brotli for supported text assets.

How to fix issues

  1. Step 1: Audit the final HTTPS response

    Follow redirects and review the final page users load.

  2. Step 2: Separate header types

    Group findings into redirects, security, cache, cookies, content and CDN behavior.

  3. Step 3: Fix high-risk items first

    Prioritize private cache leaks, broken cookies, bad redirects and missing critical protections.

  4. Step 4: Add low-risk security headers

    Start with nosniff, referrer policy, frame protection and permissions policy.

  5. Step 5: Test CSP and HSTS carefully

    Use report-only CSP where possible and confirm HTTPS readiness before strict HSTS.

  6. Step 6: Clean cache rules

    Use different rules for HTML, static assets, private pages and API responses.

  7. Step 7: Review cookies

    Add Secure, HttpOnly and SameSite where appropriate.

  8. Step 8: Check CDN/origin consistency

    Avoid duplicate or conflicting headers from multiple layers.

  9. Step 9: Re-test after deployment

    Run the checker again and test important user flows.

When a CDN is used, headers may be added, removed or overwritten at the edge.

  • origin sets one cache rule, CDN applies another
  • duplicate security headers
  • HSTS added at CDN but not origin
  • CSP differs between cached and uncached pages
  • cookies affect CDN cache behavior
  • CDN hides origin server headers
  • cache status differs by region

Decide where each header should be managed. For many sites, CDN-managed response headers are easier to apply globally, but origin rules still matter.

Header audit examples
Check headers:
curl -I https://example.com

Follow redirects:
curl -IL http://example.com

Example final response:

HTTP/2 200
content-type: text/html; charset=UTF-8
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
x-frame-options: SAMEORIGIN
set-cookie: session=abc; Secure; HttpOnly; SameSite=Lax

What to review:
- final status is 200
- HTTPS is active
- security headers are present
- session cookie has Secure, HttpOnly and SameSite
- cache rule is appropriate for HTML

Examples are illustrative. Header needs vary by site type, framework, CDN and hosting setup.

Header checklist

Basic

Start with response behavior and content delivery.

Final URL returns expected status

Confirm the page loads with the correct HTTP status.

Redirects are clean

Check for loops, long chains and correct destinations.

HTTPS is used

Confirm the final response is served over HTTPS.

Content-Type is correct

Verify MIME types for HTML, assets and downloads.

Security

Review browser-side protection headers.

X-Content-Type-Options

Should usually be nosniff.

Referrer-Policy

Limits referrer information sent to other sites.

X-Frame-Options or frame-ancestors

Protects against unwanted framing.

Content-Security-Policy

Controls allowed scripts, styles and resources.

Strict-Transport-Security

Present only when HTTPS is ready across affected hosts.

Permissions-Policy

Restricts unused browser features.

Caching

Confirm cache rules match content type and privacy needs.

Cache-Control

Primary cache directive for browsers and CDNs.

Expires

Should not conflict with Cache-Control.

ETag

Helps with conditional requests and revalidation.

Last-Modified

Useful for cache validation on static assets.

CDN cache status

Check hit, miss, bypass or dynamic behavior.

Cookies

Review session and tracking cookie flags.

Secure

Cookies should be sent only over HTTPS where required.

HttpOnly

Helps protect session cookies from client-side script access.

SameSite

Reduces some cross-site cookie risks.

Correct domain/path

Scope cookies appropriately for the application.

CDN/origin

Compare edge and origin header behavior.

Cache hit/miss

Understand whether the response came from cache.

Origin response headers

Compare what the origin sends versus the edge.

Duplicate headers

Look for conflicting values from multiple layers.

Server/proxy indicators

Note Server, Via, X-Served-By and similar headers.

Frequently asked questions

What is an HTTP header checker?

It shows the response headers returned by a URL, including status, redirects, cache, security and cookie information.

Should I check the first response or final response?

Both. The final response is usually most important because it is the page users load.

Can headers affect security?

Yes. Security headers can reduce risks like clickjacking, MIME sniffing and unsafe browser behavior.

Can headers affect performance?

Yes. Cache and compression headers can influence loading speed and CDN behavior.

Can headers break a site?

Yes. Strict CSP, HSTS or cache rules can break functionality if applied without testing.

Where are headers configured?

They may be configured in the web server, CDN, hosting panel, application framework or plugin.

How often should I audit headers?

Audit after migrations, CDN changes, SSL changes, security updates and major deployments.

Use these free tools to verify your configuration after applying changes.

Browse all Website Health guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.