Loading tools...
Loading tools...
Fetch and audit all HTTP response headers for any URL. Security headers, CORS, cache policies, and server info — all in one view.
Enter a URL above and click Inspect
Fetches via server-side proxy — works around CORS restrictions
Security audit, CORS, cache, server info — all headers organized and actionable.
Checks for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Missing headers are flagged with severity levels.
Displays all Access-Control-Allow-Origin and related CORS headers. Essential for debugging cross-origin request issues in APIs and web apps.
Shows Cache-Control, ETag, Last-Modified, Expires, and Age headers. Understand caching policies at a glance without digging through browser DevTools.
Shows Server and X-Powered-By headers. Useful for identifying the web server technology and detecting information disclosure that should be restricted.
A percentage score based on how many of the 6 key security headers are present. Gives you an instant overview of your security posture without reading each header.
Click the copy button next to any header value to copy it to your clipboard. Useful for capturing long CSP or CORS values for documentation or config files.
Security headers instruct browsers to apply additional protections. HSTS forces HTTPS connections. CSP restricts resource sources to mitigate XSS. X-Frame-Options prevents clickjacking. X-Content-Type-Options stops MIME sniffing. Together they can significantly reduce your attack surface and are required for many compliance standards.
Browsers enforce CORS policies that prevent JavaScript from reading response headers from third-party domains. This tool routes requests through a Next.js API route that fetches headers server-side and returns them. Only HEAD requests are made — no response bodies are fetched or stored.
HTTP Strict Transport Security (HSTS) tells browsers to only connect over HTTPS. Add this header to your server: Strict-Transport-Security: max-age=31536000; includeSubDomains. Once set, browsers will upgrade all connections to HTTPS for the specified duration. You can optionally submit your domain to the HSTS preload list for browser-level enforcement before the first visit.
Disclaimer: This tool is provided for informational and educational purposes only. Preview renderings are approximations and may differ from actual platform displays due to platform updates, caching, or rendering differences. We fetch publicly available metadata and do not store or share your URLs. Platforms may cache old data even after you update your content—use their official debug tools to refresh caches. ZIRA Software is not liable for any decisions made based on this tool's output.