See every response header a URL returns, with a security-header checklist on top.
Runs through this site's server (browsers hide cross-origin headers). Private/internal addresses are blocked, response bodies are never downloaded.
It fetches your URL (following redirects) and lists every response header of the final response: caching, content type, server, cookies policy and more, plus a quick checklist of the six most important security headers.
Strict-Transport-Security (HSTS), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Green means the header is present on the final response, red means it's missing.
Cross-origin security rules hide most response headers from JavaScript. That's why this tool routes the request through a small server function, which can read the full header set and return it as JSON. Private and internal addresses are blocked.
No. The inspector reads only the status line and headers and cancels the body, so checking a URL costs almost no bandwidth on either side.