HTTP Headers Checker
Response headers, redirect chain and a security-header grade for any URL.
Queries run through the PacketNebula lookup service. We log nothing.
The lookup service is not reachable.
In local preproduction, start it with npm run api then . The rest of the site works without it.
Self-test passed: grading logic verified against reference header sets on load.
Reading the grade like an auditor
The grade summarizes the final response's defensive headers, weighted toward the ones that block real attack classes. An A means returning visitors are pinned to HTTPS, a content security policy exists, browsers will not sniff content types, and nobody can iframe the page into a clickjacking overlay. An F usually means the site serves none of them, which remains astonishingly common: these are response headers, set in one place in your nginx, Apache, CDN or framework config, and they cost nothing at runtime. The reference for what each header does is OWASP's secure headers project; the tool's explanations give you the one-line version plus the fix.
The redirect chain is an SEO finding, not trivia
Type the bare http domain on purpose, the way an old backlink or a typed address arrives, and count the hops. One redirect to the canonical HTTPS URL is ideal. Two is tolerable. Three or more (http to https, then to www, then a trailing slash) costs a round trip each on first visit, dilutes link signals, and burns crawl budget on large sites. Each hop in the chain shows its status code and latency, so the conversation with whoever owns the load balancer can start from numbers instead of vibes.
What the caching panel tells you
Cache-Control on your HTML decides how fast deploys propagate; on your assets it decides how fast repeat visits feel. The panel reads the final response's caching headers and translates them: how long caches may keep it, whether revalidation is required, whether a CDN already served it (the Age header is the giveaway). Compression is reported from Content-Encoding; if you see HTML leaving uncompressed in 2026, that is a one-line server fix worth double-digit percent on transfer size.
Headers you should stop shipping
The audit also flags information leaks. A Server header announcing
Apache/2.4.29 (Ubuntu) tells attackers exactly which CVE list to open;
X-Powered-By does the same for your application stack. Neither header serves any
function for legitimate clients. While you are in the config removing them, check that
error pages get the same treatment as the homepage: security headers have a habit of
existing only on the happy path.
Frequently asked questions
Which security headers actually matter in 2026?
Four do most of the work: Strict-Transport-Security forces HTTPS on returning visitors, Content-Security-Policy contains XSS damage, X-Content-Type-Options stops MIME sniffing, and frame-ancestors (or the older X-Frame-Options) blocks clickjacking. Referrer-Policy and Permissions-Policy are easy extra points. Everything else is situational.
Do security headers affect SEO?
Not as a direct ranking factor, but indirectly yes: HSTS plus a clean single-hop redirect to HTTPS preserves crawl budget and link equity, and a redirect chain of three hops dilutes both. Google also flags insecure experiences in Chrome, and users bouncing off warnings is a signal you do not want.
Why does my redirect chain have multiple hops?
Usually an accumulation of rules: http to https, then non-www to www, then a trailing-slash rewrite, each as a separate redirect. Every hop adds latency and leaks a little link equity. The fix is collapsing them into one rule that goes straight to the canonical URL, and this tool shows you exactly how many hops you currently pay.
What is a good Cache-Control setting?
For fingerprinted static assets (app.3f2a1c.js), use public, max-age=31536000, immutable: cache them for a year because the filename changes when the content does. For HTML, short or no caching (max-age=0, must-revalidate or private) so deploys show up immediately. The expensive mistake is the reverse: long-caching HTML and busting assets.
Why does the tool refuse to check my intranet URL?
By design. The checker fetches URLs from our lookup service, and a service that fetches arbitrary URLs must refuse private address space (10.x, 192.168.x, 127.x, 169.254.x and friends), otherwise it becomes a proxy into internal networks, an attack class known as SSRF. Check internal sites with curl -I from inside your network.