HTTP Header Inspector
Inspect response headers for any URL. Analyze security, caching, and CORS configuration.
Note: browsers restrict which headers are visible due to CORS. The server must send Access-Control-Expose-Headers to expose non-standard headers.
Checking security headers on your endpoints?
Recuro monitors your endpoints on a schedule and alerts you when responses change.
Why HTTP headers matter
HTTP headers are metadata sent alongside every request and response on the web. They control how browsers cache content, whether scripts can run, which origins can access resources, and dozens of other behaviors. While the body of a response carries the content your users see, the headers determine how securely and efficiently that content is delivered.
Security headers are particularly important. A missing Strict-Transport-Security
header means browsers will not enforce HTTPS, leaving users vulnerable to protocol downgrade attacks.
Without Content-Security-Policy, your site has no defense against
cross-site scripting (XSS). Without X-Frame-Options, attackers can
embed your site in an iframe for clickjacking. Each missing header is a missed opportunity to let
the browser protect your users.
Performance headers matter too. Proper Cache-Control directives
reduce server load and speed up page loads by telling browsers what to cache and for how long.
Content-Encoding indicates compression (like gzip or brotli),
which can dramatically reduce transfer sizes.
When Recuro delivers scheduled HTTP requests and webhooks, it includes proper headers for content type, authentication signatures, and retry metadata. Correct headers ensure your endpoints can verify, parse, and process each delivery reliably.
Frequently Asked Questions
What HTTP headers should every website have?
At a minimum, every website should include Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy to prevent XSS attacks, X-Content-Type-Options set to nosniff to prevent MIME-type sniffing, X-Frame-Options or frame-ancestors in CSP to prevent clickjacking, and Referrer-Policy to control information leakage. These headers form the baseline of a secure HTTP response.
Why can't I see all the response headers?
Browsers enforce CORS (Cross-Origin Resource Sharing) restrictions that limit which response headers are exposed to JavaScript. By default, only a small set of "CORS-safelisted" headers are visible: Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, and Pragma. The server must explicitly expose additional headers using the Access-Control-Expose-Headers header. This tool runs in your browser, so it is subject to these limitations.
What are security headers and why do they matter?
Security headers are HTTP response headers that instruct the browser to enable (or disable) specific security features. They protect against common web attacks like cross-site scripting (XSS), clickjacking, MIME-type sniffing, and protocol downgrade attacks. Missing security headers leave your site vulnerable to attacks that browsers could otherwise prevent. A strong security header configuration is one of the easiest ways to harden your web application.
⌘Enter to run · ⌘⇧C to copy