What is HSTS and why is it important?

HTTP Strict Transport Security (HSTS) instructs browsers to only connect to your site over HTTPS, never HTTP. Once a browser sees the HSTS header, it will automatically upgrade all future requests to HTTPS — even if the user types http:// — for the duration specified in max-age. This prevents SSL stripping attacks and mixed content issues.

What does the Cache-Control header do?

Cache-Control tells browsers and CDNs how to cache a response. Common directives include: max-age=N (cache for N seconds), no-cache (always revalidate before serving from cache), no-store (never cache), public (shareable by CDNs), private (only browser cache). Getting Cache-Control right is critical for both performance and security.

What is the X-Frame-Options header?

X-Frame-Options controls whether your page can be embedded in an iframe. DENY prevents any embedding, SAMEORIGIN allows embedding only from the same origin, and ALLOW-FROM (deprecated) allowed specific origins. It protects against clickjacking attacks. Modern browsers prefer the frame-ancestors CSP directive over this legacy header.

What security headers should every website have?

Every production website should have: Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy to prevent XSS, X-Content-Type-Options: nosniff to prevent MIME sniffing, X-Frame-Options or CSP frame-ancestors to prevent clickjacking, and Referrer-Policy to control referrer data. Permissions-Policy (formerly Feature-Policy) is also recommended to limit browser API access.

HTTP Header Inspector

Parse raw HTTP headers, check security score, build custom headers, and browse the reference.

Raw Headers

Parsed Headers

Paste headers on the left to inspect them.

Content-Type

Cache-Control

Strict-Transport-Security

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Access-Control-Allow-Origin (CORS)

Content-Security-Policy

Generated Headers

Paste raw HTTP headers to parse and inspect them.

Understanding HTTP Headers

HTTP headers are key-value pairs sent with every HTTP request and response. They carry metadata about the request or response — things like content type, caching instructions, authentication tokens, and security policies. Understanding headers is essential for debugging web applications, optimizing performance, and securing your site.

Security Headers

Security headers protect users from a range of attacks. The most important ones are:

Content-Security-Policy (CSP) — defines which resources the browser may load, preventing XSS attacks
Strict-Transport-Security (HSTS) — forces HTTPS connections for a specified duration
X-Content-Type-Options: nosniff — prevents browsers from MIME-sniffing the content type
X-Frame-Options — prevents clickjacking by controlling iframe embedding
Referrer-Policy — controls how much referrer information is sent with requests
Permissions-Policy — restricts access to browser APIs like camera, microphone, geolocation

Caching Headers

Caching headers are critical for web performance. Cache-Control is the primary header — it controls caching behavior for both browsers and CDNs. Use max-age=31536000, immutable for versioned static assets (JS, CSS with hash in filename) and no-cache for HTML files you want revalidated on every request. ETag and Last-Modified enable conditional requests — the browser can ask "has this changed?" without downloading the full resource. Use our HTTP Status Reference to understand 304 Not Modified responses.

CORS Headers

Cross-Origin Resource Sharing (CORS) headers control which origins can access your API. Access-Control-Allow-Origin specifies the allowed origin(s). Access-Control-Allow-Methods lists the HTTP methods allowed (GET, POST, PUT, etc.). Access-Control-Allow-Headers specifies which request headers can be used. CORS is enforced by browsers — it does not protect against server-to-server requests. Misconfigured CORS (using * for credentialed requests) is a common security vulnerability.

Content Negotiation Headers

Content negotiation lets clients and servers agree on the format of the response. The client sends Accept (desired content types), Accept-Language (preferred language), and Accept-Encoding (supported compression algorithms). The server responds with Content-Type (actual format), Content-Language, and Content-Encoding (compression used). Getting Accept-Encoding: gzip, br and Content-Encoding: br right for Brotli compression can reduce response sizes by 20-30% compared to gzip.

Frequently Asked Questions

Content-Security-Policy (CSP) controls which resources the browser is allowed to load. A strong CSP prevents cross-site scripting (XSS) attacks by blocking inline scripts and restricting resource origins to trusted domains. It is one of the most important security headers for web applications.

HTTP Strict Transport Security (HSTS) instructs browsers to only connect over HTTPS. Once a browser sees this header, it automatically upgrades all future requests to HTTPS for the duration specified in max-age. This prevents SSL stripping attacks and ensures users always get a secure connection.

Cache-Control tells browsers and CDNs how to cache a response. Key directives: max-age=N (cache for N seconds), no-cache (revalidate before serving), no-store (never cache), public (shareable by CDNs), private (browser-only cache). Getting this right is critical for both performance and security.

X-Frame-Options controls whether your page can be embedded in an iframe. DENY prevents all embedding, SAMEORIGIN allows same-origin iframes only. It protects against clickjacking attacks. Modern sites prefer the frame-ancestors CSP directive, but X-Frame-Options is still needed for older browsers.

Every production site should have: Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options (or CSP frame-ancestors), and Referrer-Policy. Permissions-Policy is also recommended to restrict browser API access.