HTTP Header & Cache Inspector

Inspect HTTP response headers, detect CDN providers, analyze cache configuration, and trace every redirect - for any URL. No signup, no rate-limit gate, instant results.

What it checks

A full read-out of every signal your server returns.

One request, one report - covering status, redirects, caching, CDN, security, and content.

HTTP status & version

Confirms the response code (200, 301, 404, 5xx), the negotiated protocol (HTTP/1.1, HTTP/2, HTTP/3), and the final URL after redirects.

Redirect chain

Traces every hop from the original request to the final destination - status codes, Location headers, and total chain length, so you can spot loops or surprise downgrades to HTTP.

Cache configuration

Decodes Cache-Control, ETag, Last-Modified, Expires, and Vary - the headers that tell browsers and CDNs what to cache and for how long.

CDN detection

Identifies the CDN in front of the response (Cloudflare, Fastly, CloudFront, Akamai, Vercel, Netlify) from server, via, and CDN-specific headers like cf-ray and x-served-by.

Security headers

Surfaces HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy so you can see what is (and isn't) defending the page.

Content & encoding

Reads Content-Type, Content-Encoding, Content-Length, and the encoding chain (gzip, br) so you can confirm responses are being compressed and served with the right MIME type.

How it works

From URL to full report in about a second.

No signup, no extension, no command line - just paste and read.

Paste a URL

Drop the full URL including the scheme (https:// or http://). Both apex domains and subdomains are supported.

Run the check

We send a single GET request from our edge, follow redirects up to a safe limit, and capture every response header along the way.

Read the report

You'll see the full redirect chain, decoded cache and security headers, the detected CDN, and a copyable view of the raw response.

Why headers matter

Small headers, big consequences.

The right headers make your site fast, secure, and easy to debug. The wrong ones cost you bandwidth, rankings, and sometimes data.

Performance

Cache headers decide whether your CDN and your visitors' browsers re-download a resource on every page view or serve it from local memory. A missing Cache-Control can mean 10× the egress bandwidth and a noticeably slower site.

Security

Without Strict-Transport-Security you're exposed to HTTPS downgrade attacks. Without a strong Content-Security-Policy a single injected script can exfiltrate user data. Headers are your free, no-deploy defense layer.

Operability

When something goes wrong in production, response headers are the first place to look. They reveal which server replied, which CDN region cached the response, and whether a redirect chain is bouncing visitors into a loop.

Reference

Common response headers, explained.

The headers worth knowing - what they do, and when they matter.

Cache-Control

The master cache directive. Values like max-age=3600, public, no-store, and stale-while-revalidate decide whether browsers and CDNs serve from cache or refetch.

ETag / Last-Modified

Validation tokens. Browsers send them back on the next request so the server can reply 304 Not Modified without resending the body - a major bandwidth win on warm caches.

Strict-Transport-Security

Tells browsers to always use HTTPS for your domain. Without HSTS, a single HTTP redirect is a downgrade-attack opportunity.

Content-Security-Policy

Whitelists which scripts, styles, and resources can run on the page. The strongest single defense against XSS - and the most-misconfigured header on the web.

X-Frame-Options / frame-ancestors

Controls who can embed your site in an iframe. Set to DENY (or SAMEORIGIN) to prevent clickjacking attacks.

Vary

Tells caches which request headers (User-Agent, Accept-Encoding, Cookie) alter the response. Wrong or missing Vary values silently break shared caches.

Content-Encoding

Confirms responses are compressed - gzip, br (Brotli), or zstd. Uncompressed text responses are nearly always a performance bug.

Server / X-Powered-By

Identifies the origin software and runtime. Often considered information leaks and removed in production hardening.

FAQ

Frequently asked questions.

Quick answers about the inspector and how to use it well.

Why are some headers missing from my response?

Some hosts intentionally strip headers like Server and X-Powered-By for security. Others don't set caching or security headers at all - which is itself a useful diagnostic signal. The tool shows exactly what came back, no more, no less.

Does this tool follow redirects?

Yes. It follows redirects up to a reasonable hop limit and records the full chain, with status codes and Location headers for every step. You'll see chained redirects, HTTP-to-HTTPS hops, and any loops.

Can I inspect headers behind a login?

No - the inspector fetches anonymously from our edge, so it can't see authenticated responses. For logged-in pages, use your browser's DevTools Network panel instead.

Will this trigger my CDN's bot protection?

It can. Some sites block edge requests from datacenter IPs or unfamiliar User-Agents and return 403 or 429. That response is real - it's what an unsigned client sees. Try again later or allowlist our checker IPs.

How often should I check my headers?

On every deploy, and whenever you change CDN, caching, redirects, or security policy. For continuous coverage, SiteTrak monitors these every few minutes and alerts the moment a header changes.

Is this tool really free?

Yes - no signup, no rate-limit gate, no email harvesting. We rate-limit per-IP to keep it fast for everyone, but otherwise it's open. The paid product is the monitoring side: continuous checks and alerts.

Keep going

Other free tools you'll like.

Run one once, or set up SiteTrak and never run them again.