Preskoči na sadržaj
(+381) 60 3535 720
Moj nalog
BeoHosting
BeoHosting
Moj nalogKontakt
(+381) 60 3535 720
 

Free diagnostic tool

HTTP Header Checker — HTTP Headers Lookup

Check HTTP headers for any URL: security headers (HSTS, CSP, X-Frame), Cache-Control, Content-Type, Server, status code. Ideal for security and performance audits.

Check headersSSL certificates
TL;DR

How to check HTTP headers of a site?

HTTP Header Checker checks headers in 3 steps: 1) Enter a URL (with or without https://). 2) On clicking Check, the tool sends a HEAD request and analyzes response headers. 3) Results are classified: Good (security headers present), Warning (Server reveals version, Cache no-cache), Bad (critical headers missing), Info (others). Ideal for: security audit (CSP, HSTS, X-Frame), checking cache strategy, debugging CORS issues, competitive analysis.

  • Header classification — Good / Warning / Bad / Info
  • Detection of missing security headers (HSTS, CSP, X-Frame)
  • Status code + Server type (Apache/nginx/LiteSpeed)
  • Ideal for site security and performance audits

BeoHosting Team

10+ godina iskustva — Stručnjaci za web hosting i infrastrukturu

Poslednje ažurirano:

HTTP Header Checker

Unesite URL i proverite HTTP zaglavlja, security headers i status code.

6 most important HTTP headers

Cache-Control

Performance

Defines how the browser caches resources. public, max-age=31536000 means 1 year caching for static files (images, CSS, JS with hash in the name).

Cache-Control: public, max-age=31536000

Content-Type

Basic

Defines content type and charset. text/html; charset=utf-8 for HTML, application/json for API responses. Without proper Content-Type, the browser may misinterpret content.

Content-Type: text/html; charset=utf-8

X-Frame-Options

Security

Prevents clickjacking attacks. SAMEORIGIN allows embedding only from the same domain, DENY completely blocks <iframe> embed. Mandatory for all admin/login pages.

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security (HSTS)

Security

Forces HTTPS connection. max-age=31536000; includeSubDomains requires HTTPS for one year. Without HSTS, the browser may fallback to HTTP on the first visit.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy (CSP)

Security

Strongest XSS protection. default-src 'self' allows scripts/styles/images only from the same domain. Prevents injection attacks and unauthorized resource loading.

Content-Security-Policy: default-src 'self'

Server

Info

Reveals the web server version. „LiteSpeed“ is OK but „Apache/2.4.41 (Ubuntu)“ reveals specific exploits to the attacker. Configure ServerSignature Off.

Server: LiteSpeed

HTTP headers — security and performance

HTTP headers are metadata that the server sends to the browser in every HTTP response. They define everything from cache strategy to security policies. Properly configured headers protect against XSS attacks, clickjacking, MIME confusion and speed up the site by 50-80% thanks to browser cache.

Headers are configured at the web server level (Apache .htaccess, nginx config, LiteSpeed) or in the application (PHP header() function, Express middleware, Next.js headers config). The most important security headers: HSTS (forces HTTPS), CSP (prevents XSS), X-Frame-Options (anti-clickjacking), X-Content-Type-Options (nosniff).

BeoHosting hosting plans have Apache + LiteSpeed with optimally configured default headers (HSTS, HTTP/2, GZIP/Brotli). If you use a Cloudflare proxy in front of BeoHosting hosting, additional headers (CF-Ray, CF-Cache-Status) will appear.

Related tools and services

WHOIS LookupDNS CheckerProveri brzinu sajtaSSL SertifikatiBezbednost sajtaKako ubrzati sajtSEO za početnikeShared hostingVPS hostingKontakt

Spremni da pokrenete svoj sajt?

SSL zaštita
Brzina
24/7 podrška

Pridružite se 4.000+ zadovoljnih korisnika. Besplatna migracija i 15 dana garancije povrata novca.

Izaberite paketKontaktirajte nas
15 dana garancija povrata novca
Besplatna migracija15 dana garancija24/7 podrška

Frequently asked questions - HTTP Header Checker

Odgovori na najčešća pitanja o našim uslugama.

Security headers are HTTP headers that protect a site from common web attacks: HSTS (forces HTTPS, prevents SSL stripping), CSP (prevents XSS), X-Frame-Options (anti-clickjacking), X-Content-Type-Options (nosniff MIME confusion), Referrer-Policy (Referer header control), Permissions-Policy (Camera/Mic/Geo permissions). Without them the site is vulnerable to popular attacks.

Easiest via .htaccess file. Add to public_html/.htaccess: Header set X-Frame-Options „SAMEORIGIN“, Header set X-Content-Type-Options „nosniff“, Header set Strict-Transport-Security „max-age=31536000; includeSubDomains“. For CSP use our .htaccess Generator tool. Headers are applied instantly — no restart needed.

HSTS Preload is a list maintained by Chromium (Chrome) where strictly HTTPS-only sites (with HSTS at least 1 year long + includeSubDomains + preload directive) can be added. If your domain is on the preload list, Chrome and Firefox will never attempt an HTTP connection — immediately HTTPS. Submit form: hstspreload.org.

On Apache in httpd.conf or .htaccess: ServerSignature Off + ServerTokens Prod. On LiteSpeed (BeoHosting) — Server: LiteSpeed is by default without a version, it is safe. For complete hiding: use mod_security or a reverse proxy (Cloudflare/nginx) in front of the BeoHosting backend that removes the Server header in the response.

No. The URL you check only goes through our API to the target server for the HEAD request. We do not store URLs in a database, do not log user IP addresses and do not track activity. Everything is 100% private and also works with internal/staging URLs if they are publicly accessible.

Naše garancije za vaš mir

Zaštićeni ste sa svake strane

15 dana garancije

Vraćamo novac bez pitanja u prvih 15 dana.

Besplatna migracija

Mi prebacimo vaš sajt bez prekida — vi ništa ne radite.

24/7 podrška

Naši stručnjaci su tu 24/7 kroz tikete i live chat.