HTTP Headers Test - View Browser Request Headers
docInspect HTTP headers your browser sends and server responses. Analyze CSP, HSTS, Referrer-Policy, and privacy signals for security and debugging.
HTTP Headers Test
Inspect the HTTP headers your browser sends. Analyze request metadata for privacy, security, and debugging.
What this tool shows
The page lists request headers sent by your browser and security headers returned by the server.
Headers reveal protocol details, content handling, and policy controls.
Security headers that matter
CSP limits script sources, while HSTS enforces HTTPS on future requests.
X-Frame-Options and Permissions-Policy reduce clickjacking and feature abuse.
Privacy considerations
Referrer-Policy governs how much URL data is sent to other sites.
Overly verbose headers can reveal software or infrastructure details.
How to interpret results
Missing or weak policies increase risk even if TLS is enabled.
After changes, retest to ensure browsers enforce the expected rules.
Common misconfigurations
CSP set to report-only provides visibility but no enforcement.
HSTS with subdomains can lock out hosts that lack HTTPS.
Troubleshooting sequence
Start by separating request-header issues from response-header issues. Request headers come from the browser or proxy; response headers come from origin, CDN, or WAF.
Retest in private mode and then in a clean profile with extensions disabled to isolate extension or local policy interference.
If behavior differs by network, compare home, mobile, and VPN paths. Network-specific differences often indicate gateway or middlebox rewriting.
High-risk mismatch signals
When User-Agent, Client Hints, and TLS fingerprint disagree, risk engines commonly raise challenge level and increase CAPTCHA frequency.
If Referrer-Policy is missing or too permissive, cross-site navigations may leak full paths and sensitive query parameters.
Overly broad CORS and Permissions-Policy settings can expose extra capabilities to third-party scripts and increase attack surface.
CDN and reverse proxy checks
Many production issues occur between edge and origin. A CDN may add, override, or strip headers, so origin and user-visible behavior can diverge.
Test the same route via origin-direct and CDN domain, then diff CSP, HSTS, X-Frame-Options, and Permissions-Policy.
In multi-layer proxy chains, verify each layer does not override security headers unexpectedly.
Operational recommendations
Create a header baseline for critical pages and enforce it with automated checks in CI/CD.
After any WAF, CDN, or gateway policy change, run a full-path retest on login, payment, and admin flows.
For incident review, keep a record of header diffs and request path snapshots to reduce repeat regressions.
Limitations
Headers differ by route and environment; test the exact page that matters.
Some policies are enforced client-side and vary by browser.
This tool is diagnostic guidance, not a standalone compliance verdict.
Related Tools
Related Docs
- TLS Fingerprint — transport-layer fingerprint analysis
- Browser Fingerprint — browser-level identity signals
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are response directives that tell browsers how to handle content, framing, referrals, and API permissions. Key headers include CSP (Content-Security-Policy), HSTS (HTTP Strict Transport Security), X-Frame-Options, Referrer-Policy, and Permissions-Policy. Missing or weak policies increase risk even when HTTPS is enabled.
How do I check HTTP headers?
Use IPOK's HTTP Headers Test tool to inspect both request headers your browser sends and security headers servers return. Run the test from the same network and browser profile you use in production, since headers can differ across routes, CDNs, and WAF configurations.
What is a CSP header?
CSP (Content-Security-Policy) is an HTTP response header that controls which resources the browser is allowed to load. It can restrict script sources, frame ancestors, media sources, and form destinations. A properly configured CSP reduces the impact of XSS attacks by limiting what injected scripts can do. A report-only CSP provides visibility without enforcement.
What does Referrer-Policy control?
Referrer-Policy controls how much URL and referrer information is sent when navigating from your site to other destinations. A permissive policy like no-referrer-when-downgrade can leak full paths and query strings to third-party sites. Use strict-origin-when-cross-origin or no-referrer for privacy-sensitive applications.