Skip to content
(+381) 60 3535 720
My account
BeoHosting
BeoHosting
My accountContact
(+381) 60 3535 720
 

Free diagnostic tool

HTTP Header Checker — HTTP Headers Lookup

Check HTTP headers for any URL: security headers (HSTS, CSP, X-Frame), Cache-Control, Content-Type, Server, status code. Ideal for security and performance audits.

Check headersSSL certificates
QUICK ANSWER

How to check HTTP headers of a site?

HTTP Header Checker checks headers in 3 steps: 1) Enter a URL (with or without https://). 2) On clicking Check, the tool sends a HEAD request and analyzes response headers. 3) Results are classified: Good (security headers present), Warning (Server reveals version, Cache no-cache), Bad (critical headers missing), Info (others). Ideal for: security audit (CSP, HSTS, X-Frame), checking cache strategy, debugging CORS issues, competitive analysis.

  • Header classification — Good / Warning / Bad / Info
  • Detection of missing security headers (HSTS, CSP, X-Frame)
  • Status code + Server type (Apache/nginx/LiteSpeed)
  • Ideal for site security and performance audits

BeoHosting Team

10+ years of experience — Web hosting and infrastructure specialists

Last updated:

HTTP Header Checker

Enter a URL and check HTTP headers, security headers and status code.

6 most important HTTP headers

Cache-Control

Performance

Defines how the browser caches resources. public, max-age=31536000 means 1 year caching for static files (images, CSS, JS with hash in the name).

Cache-Control: public, max-age=31536000

Content-Type

Basic

Defines content type and charset. text/html; charset=utf-8 for HTML, application/json for API responses. Without proper Content-Type, the browser may misinterpret content.

Content-Type: text/html; charset=utf-8

X-Frame-Options

Security

Prevents clickjacking attacks. SAMEORIGIN allows embedding only from the same domain, DENY completely blocks <iframe> embed. Mandatory for all admin/login pages.

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security (HSTS)

Security

Forces HTTPS connection. max-age=31536000; includeSubDomains requires HTTPS for one year. Without HSTS, the browser may fallback to HTTP on the first visit.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy (CSP)

Security

Strongest XSS protection. default-src 'self' allows scripts/styles/images only from the same domain. Prevents injection attacks and unauthorized resource loading.

Content-Security-Policy: default-src 'self'

Server

Info

Reveals the web server version. „LiteSpeed“ is OK but „Apache/2.4.41 (Ubuntu)“ reveals specific exploits to the attacker. Configure ServerSignature Off.

Server: LiteSpeed

HTTP headers — security and performance

HTTP headers are metadata that the server sends to the browser in every HTTP response. They define everything from cache strategy to security policies. Properly configured headers protect against XSS attacks, clickjacking, MIME confusion and speed up the site by 50-80% thanks to browser cache.

Headers are configured at the web server level (Apache .htaccess, nginx config, LiteSpeed) or in the application (PHP header() function, Express middleware, Next.js headers config). The most important security headers: HSTS (forces HTTPS), CSP (prevents XSS), X-Frame-Options (anti-clickjacking), X-Content-Type-Options (nosniff).

BeoHosting hosting plans have Apache + LiteSpeed with optimally configured default headers (HSTS, HTTP/2, GZIP/Brotli). If you use a Cloudflare proxy in front of BeoHosting hosting, additional headers (CF-Ray, CF-Cache-Status) will appear.

Related tools and services

WHOIS LookupDNS CheckerCheck site speedSSL CertificatesSite securityHow to speed up your siteSEO for beginnersShared hostingVPS hostingContact

Ready to launch your website?

SSL protection
Speed
24/7 support

Join 4,000+ satisfied customers. Free migration and 15-day money-back guarantee.

Choose a planContact us
15-day money-back guarantee
Free migration15-day guarantee24/7 support

Frequently asked questions - HTTP Header Checker

Answers to the most common questions about our services.

Security headers are HTTP headers that protect a site from common web attacks: HSTS (forces HTTPS, prevents SSL stripping), CSP (prevents XSS), X-Frame-Options (anti-clickjacking), X-Content-Type-Options (nosniff MIME confusion), Referrer-Policy (Referer header control), Permissions-Policy (Camera/Mic/Geo permissions). Without them the site is vulnerable to popular attacks.

Easiest via .htaccess file. Add to public_html/.htaccess: Header set X-Frame-Options „SAMEORIGIN“, Header set X-Content-Type-Options „nosniff“, Header set Strict-Transport-Security „max-age=31536000; includeSubDomains“. For CSP use our .htaccess Generator tool. Headers are applied instantly — no restart needed.

HSTS Preload is a list maintained by Chromium (Chrome) where strictly HTTPS-only sites (with HSTS at least 1 year long + includeSubDomains + preload directive) can be added. If your domain is on the preload list, Chrome and Firefox will never attempt an HTTP connection — immediately HTTPS. Submit form: hstspreload.org.

On Apache in httpd.conf or .htaccess: ServerSignature Off + ServerTokens Prod. On LiteSpeed (BeoHosting) — Server: LiteSpeed is by default without a version, it is safe. For complete hiding: use mod_security or a reverse proxy (Cloudflare/nginx) in front of the BeoHosting backend that removes the Server header in the response.

No. The URL you check only goes through our API to the target server for the HEAD request. We do not store URLs in a database, do not log user IP addresses and do not track activity. Everything is 100% private and also works with internal/staging URLs if they are publicly accessible.

Our guarantees for your peace of mind

Protected from every angle

15-day guarantee

We refund without questions in the first 15 days.

Free migration

We migrate your site with no downtime — you do nothing.

24/7 support

Our experts are here 24/7 via tickets and live chat.