Waiting
Enter a domain and run a lookup to see results.
HTTP Header & Redirect Checker - Status Codes
Domain Input
HTTP Security Header & Redirect Checker
Trace HTTP redirect chains (301/302/307), inspect response headers, and audit security headers including CSP, HSTS, X-Frame-Options, Permissions-Policy, COOP, CORP, and COEP. The tool grades your HTTP security from A+ to F based on 10 header categories. Information leak detection flags exposed server versions and technology fingerprints.
How It Works
An HTTP request is sent to the target URL following all redirects. At each hop, the status code, headers, and redirect target are recorded. The final response's security headers are audited against 10 categories, each with a weighted score. Server/technology headers are checked for information leakage.
FAQ
What security headers should every site have?
At minimum: Content-Security-Policy (prevents XSS), Strict-Transport-Security (forces HTTPS), X-Frame-Options (prevents clickjacking), and X-Content-Type-Options (prevents MIME sniffing). For an A+ grade you also need Permissions-Policy, Referrer-Policy, and cross-origin isolation headers.
What is the difference between 301 and 302 redirects?
301 is permanent — search engines transfer link equity to the new URL. 302 is temporary — search engines keep indexing the original URL. Use 301 for domain migrations and URL restructuring. Use 302 for A/B tests or temporary maintenance pages.
Why does my site leak server information?
Headers like Server, X-Powered-By, and X-AspNet-Version reveal your stack to attackers. Remove them in your web server configuration. In nginx: server_tokens off. In Apache: ServerTokens Prod and Header unset X-Powered-By. In Express: app.disable('x-powered-by').
Redirects
—
Headers
—
Security Audit
—
Performance
—
curl equivalent
—
Tool Features
[Ad] HTTP Detail Inline
CDN Service
Global content delivery and performance optimization.
Coming SoonRelated Guides
Pro Weekly security header report (PDF) auto-generation — report feature coming soon.