Skip to content
JA Technology SolutionsJA Technology Solutions

JA Technology Solutions

HTTP Header Inspector

Fetch any URL and see its response headers, redirect chain, and a full security-header audit (HSTS, CSP, X-Frame-Options, and more).

HTTP Header Inspector

Runs a server-side GET against the URL you provide, follows up to 5 redirects, captures every response header, and runs a security-header audit covering HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each header is graded pass/warn/fail with plain-language notes about what's missing or weak. Useful for auditing your own deployments, investigating a competitor's headers, or verifying CDN / proxy configurations.
Learn more ↓

Loading interactive explorer...

Why Response Headers Matter

A modern web application lives and dies by the HTTP headers it returns. HSTS forces browsers to use HTTPS, defeating downgrade attacks. CSP restricts where scripts, styles, and images can come from, providing a strong XSS defense. X-Frame-Options (and the newer frame-ancestors CSP directive) stops the page from being loaded in an iframe for clickjacking attacks. X-Content-Type-Options: nosniff disables MIME type sniffing, preventing content-type-confusion XSS. Referrer-Policy controls how much of the current URL leaks to third parties. Permissions-Policy gates access to browser APIs like camera, microphone, geolocation, and payment. Missing or weak versions of any of these create real attack surface.

What This Tool Does

You give it a URL, it fires a server-side GET through a Cloudflare Pages Function, and it returns the full response including every header, the redirect chain (up to 5 hops), timing, and a pass/warn/fail audit of the security-relevant headers listed above. Because the fetch runs server-side in a hardened environment, it’s immune to CORS and browser extensions that might interfere with a client-side check. The tool is aggressively gated against abuse: per-IP and global rate limits, a Turnstile challenge, scheme/port allowlists, and DNS-rebinding defense that re-validates every redirect hop.

Common Grades to Aim For

A production web app should ideally have: HSTS with max-age ≥ 31536000 (1 year) + includeSubDomains + preload; a CSP without unsafe-inline or unsafe-eval; X-Frame-Options: DENY (or SAMEORIGIN if you legitimately iframe yourself); X-Content-Type-Options: nosniff; a strict Referrer-Policy like strict-origin-when-cross-origin; and a Permissions-Policy explicitly denying sensitive features you don’t use. If any of those are missing or weak, this audit will flag them.

Need a Security Review?

I help clients audit and harden web applications end-to-end — security headers, CSP policies, deployment config, authentication flows, and monitoring. Get in touch, or see integration services if you’re designing new infrastructure.

All tools run entirely in your browser. Your data never leaves your machine. Need help? Ask James.

Contact

Need this automated?

I build custom integrations that convert, validate, and deliver data between systems automatically — on a schedule, in real time, without anyone touching a file.

Get in TouchSchedule a Call