How do I view HTTP headers for a website?

The easiest way is to use DNSFly's HTTP Headers tool — just enter a domain and you'll see all response headers. You can also use browser DevTools (F12 → Network tab → click any request → Headers tab) or the command line with curl -I example.com.

What are security headers?

Security headers are HTTP response headers that protect your website from common attacks. The most important ones are Strict-Transport-Security (forces HTTPS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), and Content-Security-Policy (controls which resources can load). Missing security headers leave your site vulnerable.

Why does my website show 'server: nginx' or 'server: Apache'?

The Server header reveals which web server software is running. While not a critical security risk on its own, many security professionals recommend removing or obscuring it so attackers can't easily identify your server software and target known vulnerabilities.

What does Cache-Control do?

Cache-Control tells browsers and CDNs how long to store a copy of the response before requesting it again. For example, 'max-age=3600' means cache for 1 hour. Proper caching reduces server load and makes your site faster for repeat visitors. Misconfigured caching can serve stale content or waste bandwidth.

How to Read HTTP Headers (Beginner's Guide)

Q: What are HTTP headers?

HTTP headers are key-value pairs sent between your browser and a web server with every request and response. They carry metadata — information about the request, the response, the server, caching rules, security policies, and more. You never see them on the page, but they control how everything works behind the scenes.

What Are HTTP Headers?

When you visit a website, your browser sends a request to the server, and the server sends back a response. Both the request and the response include headers — metadata that tells each side how to handle the communication.

Think of it like sending a package. The package itself is the web page content (HTML, images, CSS). The headers are the shipping label — they don't contain the content, but they tell the carrier where it's going, how to handle it, and what's inside.

Here's what a real HTTP response looks like:

HTTP/2 200
content-type: text/html; charset=UTF-8
server: cloudflare
cache-control: max-age=3600
strict-transport-security: max-age=31536000
x-frame-options: DENY
x-content-type-options: nosniff
date: Mon, 17 Feb 2026 10:30:00 GMT

Each line is a header. The name is on the left of the colon, the value is on the right. Let's break down what each of these means.

The Headers That Matter Most

There are dozens of possible HTTP headers, but most of the time you only need to care about a handful. Here are the ones you'll see most often and what they tell you:

Header	What It Does	Example Value
content-type	Tells the browser what kind of content it's receiving	text/html; charset=UTF-8
server	Identifies the web server software	nginx, Apache, cloudflare
cache-control	How long the browser should cache this response	max-age=3600
location	Where to redirect (used with 301/302 status codes)	https://www.example.com/
set-cookie	Sends a cookie to the browser for future requests	session=abc123; HttpOnly
content-encoding	How the response body is compressed	gzip, br
x-powered-by	Reveals the backend framework (should be removed)	Express, PHP/8.2, Next.js

Security Headers You Should Check

Security headers protect your website from common attacks. If these are missing, your site may be vulnerable. Here are the most important ones:

Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS for your site. Without it, users could be tricked into loading an insecure HTTP version.

strict-transport-security: max-age=31536000; includeSubDomains

X-Frame-Options

Prevents your site from being embedded in an iframe on another site. This stops clickjacking attacks where attackers overlay invisible iframes to trick users into clicking.

x-frame-options: DENY

X-Content-Type-Options

Prevents browsers from guessing the content type (MIME sniffing). Without it, a browser might execute a file as JavaScript even if it's labeled as plain text.

x-content-type-options: nosniff

Referrer-Policy

Controls how much URL information is sent when users click a link to leave your site. Protects user privacy by not leaking full page URLs to third-party sites.

referrer-policy: strict-origin-when-cross-origin

Permissions-Policy

Controls which browser features (camera, microphone, geolocation) your site and any embedded iframes can access. Limits the attack surface if your site is compromised.

permissions-policy: camera=(), microphone=(), geolocation=()

Tip: Use DNSFly's HTTP Headers tool to check any website's security headers. If you see these headers missing, that's a potential vulnerability.

Caching Headers Explained

Caching headers tell browsers and CDNs whether to store a copy of the response and for how long. Getting these right is critical for performance.

Header	Meaning	Example
cache-control	Primary caching directive	max-age=86400 (cache for 24h)
etag	Unique ID for this version of the content	"33a64df5"
last-modified	When the content was last changed	Mon, 10 Feb 2026 12:00:00 GMT
expires	When the cached copy becomes stale (legacy)	Tue, 18 Feb 2026 10:00:00 GMT
age	How long the response has been cached (in seconds)	3600

Common cache-control values you'll see:

no-cache — Always check with the server before using cached copy

no-store — Never cache this response (used for sensitive data)

public — Any cache (browser, CDN, proxy) can store this

private — Only the user's browser can cache this (not CDNs)

max-age=3600 — Cache for 3600 seconds (1 hour)

How to Check HTTP Headers

There are three common ways to inspect a website's HTTP headers:

1. DNSFly HTTP Headers Tool

The quickest option. Go to DNSFly HTTP Headers, enter a domain, and see all response headers instantly — no setup required.

2. Browser DevTools

Open DevTools in any browser, go to the Network tab, reload the page, and click any request to see its headers.

Windows/Linux: Ctrl + Shift + I → Network tab
Mac: Cmd + Option + I → Network tab

3. Command Line

Use curl to fetch headers from the terminal:

# Show response headers only
curl -I https://example.com

# Show headers + follow redirects
curl -IL https://example.com

# Windows PowerShell
Invoke-WebRequest -Uri https://example.com -Method Head | Select-Object -ExpandProperty Headers

Red Flags to Watch For

When checking a website's headers, these are warning signs that something isn't configured properly:

Missing Strict-Transport-Security

The site isn't forcing HTTPS. Users could be served an insecure version of the page.

X-Powered-By header is present

Exposes the backend technology (e.g. "Express", "PHP/8.2"). This gives attackers information they can use to find known vulnerabilities. It should be removed in production.

Missing X-Frame-Options or X-Content-Type-Options

Basic security headers that should be present on every site. Their absence means the site is vulnerable to clickjacking and MIME sniffing attacks.

cache-control: no-store on static assets

Images, CSS, and JavaScript files should be cached. If they're set to no-store, every page load re-downloads everything — wasting bandwidth and slowing the site.

Server header leaking version numbers

Seeing server: Apache/2.4.51 with an exact version number makes it easy for attackers to look up known vulnerabilities for that specific version.

Check Any Website's Headers

See security headers, caching configuration, server info, and more for any domain — instantly.

HTTP Headers Checker SSL Checker