Tank myipcat
Home  /  Tools  /  HTTP Response Header Inspector

HTTP Response Header Inspector

Inspect any URL's response headers. Detects HSTS, CSP, CORS, cookies, server fingerprint, and security misconfigurations.

Inputs

We send a HEAD request and show the response headers, redirects, and security policies.

What the HTTP response tells you

Every HTTP response has headers that describe the response โ€” content type, caching policy, security rules, server software, and dozens of others. This tool fetches any URL and shows you everything the server sends back.

Headers worth checking

  • Server / X-Powered-By โ€” what software is running. Server fingerprinting.
  • Content-Type โ€” what the response actually is (HTML, JSON, image, etc.).
  • Cache-Control / ETag / Last-Modified โ€” caching behavior.
  • Strict-Transport-Security (HSTS) โ€” forces future requests to HTTPS. Critical for security.
  • Content-Security-Policy (CSP) โ€” restricts which resources the page can load.
  • X-Frame-Options / X-Content-Type-Options โ€” anti-clickjacking and MIME-sniffing protection.
  • Set-Cookie โ€” cookies being set, with their Secure/HttpOnly/SameSite flags.
  • Access-Control-Allow-Origin โ€” CORS policy.
  • Server-Timing โ€” backend performance metrics.

What missing headers tell you

Sometimes the absence of a header matters more than its presence. No HSTS header on a banking site? Big red flag. No CSP on a site that serves user content? Vulnerable to XSS exfiltration. Modern security headers should be present and properly configured on production sites.