Skip to content
speedtest.doctor
Speed Test Diagnosis Blog Guides App Embed widgets API & Widget Docs

Tools

Speed & Connection
DNS
IP
Wi-Fi & Local Network
Web / Site
Security & Privacy
Diagnosis (Doctor)
Do a Speed Test

HTTP Headers Checker

Inspect the response headers a URL returns — caching, content type, compression and more — with an honest note on what your browser is allowed to read.

Beta

e.g. https://example.com

Reads headers your browser is allowed to expose. Cross-origin, that's a small "safe" set unless the server opts in with Access-Control-Expose-Headers. For the full header set, use a server-side request.

How this HTTP header checker works

Enter a URL and your browser requests it, then we read the Headers object from the response and list every entry we're permitted to see. Response headers are the metadata a server attaches to every reply — they describe how the content should be cached, what type it is, whether it's compressed, and how the browser should treat it. They're invisible during normal browsing but hugely useful when you're debugging performance or configuration.

One caveat we surface honestly: when you check a site on a different origin, the browser only hands scripts a short list of "safe" headers unless that server explicitly allows more. So a short list isn't a fault — it's the browser's CORS policy at work.

How to read the headers

Header What it tells you
Cache-Control How long browsers/CDNs may cache the response
Content-Type The media type and character set of the body
Content-Encoding Compression in use (gzip, br) — good for speed
Strict-Transport-Security Forces HTTPS on future visits (security)
Server The web server software (often hidden cross-origin)

If caching headers are missing or the response isn't compressed, that's often where a slow page begins — pair this with our website speed test to confirm.

Frequently asked questions

Why do I only see a few headers?
By default, browsers only expose a short list of "safe" response headers to scripts on another origin: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified and Pragma. To reveal anything else (like Server or Strict-Transport-Security), the site has to send an Access-Control-Expose-Headers header. Most don't, so cross-origin you'll see the safe set only.
How do I see all the headers?
Request a URL on your own origin (a site that sends permissive CORS headers), or use a server-side tool like curl -I. Browser security intentionally hides most cross-origin response headers, and that's by design — not something this tool can override.
Which headers matter for performance?
Cache-Control and Expires control how long browsers and CDNs cache your content — get these right and repeat visits fly. Content-Encoding (gzip/br) shows compression is on. Content-Type must be correct or browsers misinterpret the response.
Which headers matter for security?
Strict-Transport-Security enforces HTTPS, Content-Security-Policy limits what can load, and X-Content-Type-Options stops MIME sniffing. You'll usually need a server-side check to read these cross-origin, but they're worth auditing on any site you run.
The request failed entirely. What does that mean?
The site likely blocks cross-origin requests outright, or it was unreachable. A failure here is about CORS policy, not necessarily whether the site is online — confirm with our Is It Down? check.

Headers are one layer of the picture

Caching and compression matter, but so do DNS, TTFB and routing. The Doctor pulls every layer together and tells you which one is holding a site — or your connection — back.

Run a full diagnosis