HTTP Headers Test
Inspect the HTTP headers your browser sends. Analyze request metadata for privacy, security, and debugging.
What this tool shows
The page lists request headers sent by your browser and security headers returned by the server.
Headers reveal protocol details, content handling, and policy controls.
Security headers that matter
CSP limits script sources, while HSTS enforces HTTPS on future requests.
X-Frame-Options and Permissions-Policy reduce clickjacking and feature abuse.
Privacy considerations
Referrer-Policy governs how much URL data is sent to other sites.
Overly verbose headers can reveal software or infrastructure details.
How to interpret results
Missing or weak policies increase risk even if TLS is enabled.
After changes, retest to ensure browsers enforce the expected rules.
Common misconfigurations
CSP set to report-only provides visibility but no enforcement.
HSTS with subdomains can lock out hosts that lack HTTPS.
Limitations
Headers differ by route and environment; test the exact page that matters.
Some policies are enforced client-side and vary by browser.