'%20stroke='url(%23grad)'%20stroke-width='2'%20/%3e%3cpath%20d='M11%2023c2.5-4%204.5-10%2010-10%202.6%200%204.5%201.8%204.5%204.4%200%203.9-3.4%206.6-7.7%206.6-2.2%200-4.1-.7-5.5-2z'%20fill='url(%23grad)'%20/%3e%3ccircle%20cx='14'%20cy='14'%20r='2'%20fill='%232de2e6'%20/%3e%3c/svg%3e){kind=small}
HTTP & security headers
Review response headers, redirect chains, and security posture in one call.
How to read a headers report
Use this page to audit production responses from an external perspective. The goal is not only to see if headers exist, but to confirm they stay consistent across redirects and match your intended policy.
Status + final URL
Validate expected destination and status code class before reviewing security controls.
Redirect chain
Check every hop for policy drift, temporary redirects, and host canonicalization mistakes.
Security impact
Use the impact notes to prioritize missing protections by risk and rollout order.
For deeper response analysis, pair this report with HTTP Deep Check and Security Headers Scorecard.
FAQ
Most important headers?
Start with HSTS, CSP, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy, then expand for your application model.
Why redirects matter?
Users and bots traverse redirects, so weak headers on any hop can still create risk or inconsistent behavior.
Can some be missing by design?
Yes, but missing headers should be explicitly justified and tracked as policy decisions, not accidental gaps.
Related guides
How to fix robots, noindex, and X-Robots conflicts
Resolve crawl and index directive mismatches across robots, meta, and headers.
How to avoid soft 404 issues on tool pages
Improve perceived page quality and avoid thin template classification.
Canonical tags vs redirects for duplicate URLs
Choose the right consolidation strategy for duplicate URL variants.