Why do I see only a few headers?

Browsers restrict JavaScript access to response headers due to CORS. Only headers explicitly allowed by the server via Access-Control-Expose-Headers are readable. CORS-enabled APIs (like httpbin.org) expose all headers. For full inspection, use curl -I from the command line.

What is a CORS error?

CORS (Cross-Origin Resource Sharing) errors occur when a browser blocks a cross-origin request because the server doesn't include the appropriate Access-Control-Allow-Origin header. This is a browser security feature, not a server outage.

What does Cache-Control: no-store mean?

no-store tells browsers and CDNs never to cache the response. It is used for sensitive pages like banking dashboards. no-cache means the browser can store it but must revalidate with the server before using it.

What security headers should every site have?

At minimum: Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and a Content-Security-Policy. These four headers protect against the most common web attacks.

📋

HTTP Header Viewer

Inspect the HTTP response headers returned by any public URL. Check status codes, cache control, security headers, content type and more.

🌐 Network & Web Tools Free Browser-based

Tool

⚠ Browser CORS limitation: Only headers explicitly shared by the server via CORS are visible. Use the httpbin.org shortcut to test headers unrestricted. For full header inspection of any URL, use a command-line tool like curl -I https://example.com.

URL

Quick test:

Important HTTP Response Headers

Header	Purpose
Content-Type	MIME type of the response body
Cache-Control	Caching instructions for browsers and CDNs
Content-Security-Policy	Controls which resources the browser can load
Strict-Transport-Security	Forces HTTPS — prevents downgrade attacks
X-Frame-Options	Prevents clickjacking via iframes
X-Content-Type-Options	Prevents MIME-type sniffing
Referrer-Policy	Controls referrer information sent with requests
Permissions-Policy	Controls browser features (camera, mic, geolocation)

Why CORS Limits Visible Headers

Browsers enforce the Same-Origin Policy — JavaScript can only read response headers that the server explicitly exposes via Access-Control-Expose-Headers. This tool shows whatever the server shares. Use curl -I or a server-side proxy for unrestricted header inspection.

HTTP Header Viewer

Important HTTP Response Headers

Why CORS Limits Visible Headers

Frequently Asked Questions