Why are some headers missing from my browser's developer tools?

Browsers hide certain headers from JavaScript for security (Set-Cookie, authentication headers). Server-side viewers can show these. The Network tab in dev tools shows most response headers but not all.

What's the difference between Cache-Control and ETag?

Cache-Control specifies how long content can be cached (max-age=3600 means 1 hour). ETag is a unique identifier for the current version. ETags enable conditional requests: if the cached ETag matches, the server can return 304 Not Modified instead of resending the full body.

Why does my CSP not block what I expected?

CSP behavior depends on directive specifics (default-src, script-src, style-src, etc.) and the report-only mode flag. Inspect the actual header to confirm the policy you wrote is what is being served.

Is HTTPS required for inspection?

No, but strongly recommended. HTTP requests and responses can be intercepted and modified in transit; HTTPS prevents that.

How do I check if HSTS is enabled?

Look for the Strict-Transport-Security response header. Its value typically includes max-age and optionally includeSubDomains and preload.

What should I do if Content-Type is missing?

Browsers fall back to MIME sniffing, which can cause security issues. Configure your server to always send a correct Content-Type. The X-Content-Type-Options: nosniff header prevents browsers from overriding the declared type.

Can I inspect headers from sites I do not own?

Yes for public URLs. The headers are returned to anyone making the request. Cookies and authentication headers tied to your session are not exposed because the inspection request does not carry them.

What about HTTP/3 specific headers?

HTTP/3 retains the same header semantics as HTTP/1.1 and HTTP/2. The transport differs (QUIC instead of TCP) but the headers you see are the same.

HTTP Headers Viewer | Any-Tools.net

About HTTP Headers Viewer

HTTP headers are key-value pairs that accompany every request and response on the web, carrying metadata about the message: content type, caching directives, security policies, authentication tokens, encoding, and dozens of other concerns. Browsers, servers, CDNs, and intermediate proxies all read and write headers to coordinate behavior. Inspecting them is essential for diagnosing performance, caching, security, and integration issues.

This viewer fetches a URL and displays the response headers exactly as the server returned them. Common headers like Content-Type, Cache-Control, Content-Security-Policy, Strict-Transport-Security, and Set-Cookie are highlighted. The tool follows redirects by default, showing each step in the chain.

Some headers are particularly important for security and SEO. CSP (Content-Security-Policy) controls what resources a page can load. HSTS (Strict-Transport-Security) forces HTTPS. X-Frame-Options prevents clickjacking. Cache-Control influences how much traffic the server actually sees. Inspecting these on real responses helps verify configuration.

Why Inspect HTTP Headers

Most performance and security configuration on the web lives in headers rather than in HTML or JavaScript. CDN caching, browser caching, security policies, CORS, and HTTPS enforcement are all controlled by response headers. Inspecting actual responses confirms whether the configured headers are reaching clients.

Headers also help diagnose subtle bugs. A missing Content-Type triggers MIME sniffing. A wrong Cache-Control causes stale content or excessive load. A missing CSP allows unintended scripts. The viewer surfaces the actual headers so misconfigurations become visible.

How to View HTTP Headers

Enter a URL, see all the response headers.

Enter the URL: Type or paste the URL to inspect. Both http:// and https:// URLs work, with HTTPS strongly preferred.
Choose options: Follow redirects to see the chain of intermediate URLs. Disable to see just the first response. Choose request method (GET, HEAD, OPTIONS) for different views.
Fetch and inspect: The tool sends the request and displays response headers grouped by category. Status code and timing also appear at the top.
Review specific headers: Look for security headers (CSP, HSTS, X-Frame-Options), caching headers (Cache-Control, ETag, Last-Modified), CORS headers (Access-Control-*), and content headers (Content-Type, Content-Encoding).

Common Use Cases

Verifying CDN cache behavior — Cache-Control, ETag, and CDN-specific headers (CF-Cache-Status, X-Cache) reveal whether content is being cached and at which edge.
Auditing security headers — CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy all live in response headers. Inspecting confirms they are present and correct.
Debugging CORS issues — Access-Control-Allow-Origin and related headers control cross-origin requests. The viewer shows what the server actually returned, which often differs from what was configured.
Checking redirect chains — Long redirect chains slow page loads. The viewer follows redirects and shows each hop, exposing inefficient redirect setups.
Investigating content type mismatches — Content-Type drives browser behavior; mismatches cause MIME sniffing, encoding issues, or download instead of display. Inspecting reveals the actual served value.

Technical Details

HTTP/1.1 (RFC 7230) defines headers as case-insensitive key-value pairs separated by colons, with the value continuing to the end of the line. HTTP/2 (RFC 7540) and HTTP/3 use a binary framing format internally but the header semantics remain the same; viewers display them as if HTTP/1 syntax for readability.

Common response headers: Content-Type (MIME type and charset), Content-Length, Content-Encoding (gzip, br for compression), Cache-Control, ETag, Last-Modified, Set-Cookie, Server, Date, X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Content-Security-Policy.

The browser's same-origin policy may prevent JavaScript-based viewers from reading certain headers (cookies and authentication headers in particular). Proxy-based viewers (a server fetches and reports back) avoid this limitation.

Best Practices

Test against production URLs — Header configuration often differs between staging and production. Always verify the live URL after a deployment that affects header logic.
Watch for missing security headers — Sites missing CSP, HSTS, X-Content-Type-Options, or X-Frame-Options are vulnerable to entire classes of attacks. Inspect responses regularly.
Verify cache headers per resource type — HTML, CSS, JavaScript, and images often need different caching strategies. Inspect each type to confirm the configuration matches intent.
Compare CDN and origin headers — If you use a CDN, headers may differ between cache hits and misses, or between CDN-served and origin-served responses. Test both paths.

Frequently Asked Questions

Why are some headers missing from my browser's developer tools?: Browsers hide certain headers from JavaScript for security (Set-Cookie, authentication headers). Server-side viewers can show these. The Network tab in dev tools shows most response headers but not all.
What's the difference between Cache-Control and ETag?: Cache-Control specifies how long content can be cached (max-age=3600 means 1 hour). ETag is a unique identifier for the current version. ETags enable conditional requests: if the cached ETag matches, the server can return 304 Not Modified instead of resending the full body.
Why does my CSP not block what I expected?: CSP behavior depends on directive specifics (default-src, script-src, style-src, etc.) and the report-only mode flag. Inspect the actual header to confirm the policy you wrote is what is being served.
Is HTTPS required for inspection?: No, but strongly recommended. HTTP requests and responses can be intercepted and modified in transit; HTTPS prevents that.
How do I check if HSTS is enabled?: Look for the Strict-Transport-Security response header. Its value typically includes max-age and optionally includeSubDomains and preload.
What should I do if Content-Type is missing?: Browsers fall back to MIME sniffing, which can cause security issues. Configure your server to always send a correct Content-Type. The X-Content-Type-Options: nosniff header prevents browsers from overriding the declared type.
Can I inspect headers from sites I do not own?: Yes for public URLs. The headers are returned to anyone making the request. Cookies and authentication headers tied to your session are not exposed because the inspection request does not carry them.
What about HTTP/3 specific headers?: HTTP/3 retains the same header semantics as HTTP/1.1 and HTTP/2. The transport differs (QUIC instead of TCP) but the headers you see are the same.

HTTP Headers Viewer

Related Tools

JSON Formatter & Validator

XML Formatter & Validator

HTML Minifier

CSS Minifier

About HTTP Headers Viewer

Why Inspect HTTP Headers

How to View HTTP Headers

Common Use Cases

Technical Details

Best Practices

Frequently Asked Questions

Related Articles

Essential Developer Tools: JSON, Base64, RegEx, and More

Hashing, Encryption, and Encoding Explained: A Developer's Security Guide

Spreadsheet & Data Conversion Guide: Excel, CSV, JSON, and More

Why Browser-Based Tools Are the Future: No Installs, No Uploads, No Risk