• Subscribe to the low volume list for updates.

HTTP Header Check

Review the HTTP Headers from a web server with this quick check.

Remove limits & captcha with membership

Reviewing HTTP Headers

A great deal of information can be gathered in a check of the HTTP Headers from a web server. Server side software can be identified often down to the exact version running. Cookie strings, web application technologies, and other data can be gathered from the HTTP Header. This information can be used when troubleshooting or when planning an attack against the web server.

HTTP Header Check API

In addition to the web form above, we offer a second way to access the HTTP headers of any web site. Our HTTP Header API will trigger our system to get the headers and display them in a simple Text based output. Access the API using a web browser, curl, or any scripting language.

https://api.hackertarget.com/httpheaders/?q=http://www.google.com

This query will display the HTTP headers from www.google.com. Notice that if the web server sends a redirect 301 or a 302 the system will follow the redirect and display each set of HTTP Headers.

The API is simple to use and aims to be a quick reference tool. As a Free user you may perform up to 20 queries per day or you can Increase daily quote with a Full Membership.

List of Common HTTP Headers

By compiling all HTTP Headers from the top 1 million websites we have generated a list of the 100 most common HTTP Response Headers. Use this reference to quickly understand the use cases for the different HTTP headers.

Note that these are the response headers, meaning those found in the response from the HTTP server after a browser makes a request.

100 most Common HTTP Response Headers

Count HTTP Header Description
834082 Content-Type Denotes the type of media
833384 Date Date and Time from the response
786517 Server Information about the Server Software
753241 Set-Cookie Assigns cookies from Server to Client
714923 Connection Controls network connection
706267 Content-Encoding Specifies compression type
628732 Vary Details how to determine if cache can be used rather than a new response from server
518756 Cache-Control Details caching options in requests and responses
501318 Transfer-Encoding Encoding to be used for transfer of data
368014 Expires Specifies when the response becomes "stale"
334063 Content-Length Size of resource in number of bytes
307086 X-Powered-By Hosting and Backend Server Frameworks may use this. Can reveal sensitive information (version and software).
298609 Link Serialising one or more links in HTTP headers
235691 Pragma Related to caching, may be implemented in different ways.
226452 Keep-Alive Specifies how long a persistent connection stays open
208912 Last-Modified Last modification date of resource. Used for caching.
157980 X-Content-Type-Options Disables MIME Sniffing and forces browser to use type shown in Content-Type
128658 CF-RAY CloudFlare Header. A hashed value encoding information about the data center and the request.
128187 ETag Cache Validation Tag. Also used for tracking users with cookies disabled.
127715 X-Frame-Options Specifies whether browser should show page in an iFrame
126487 CF-Cache-Status CloudFlare header shows whether a resource is cached
122831 Accept-Ranges  
119876 Strict-Transport-Security Force communication to use HTTS (not HTTP)
118843 X-XSS-Protection Enables Cross Site Scripting (XSS) filtering
104121 Expect-CT Reporting and enforcement of Certificate Transparency. Prevents the use of mis-issued certificates for the site. When enabled the Expect-CT header requests that Chrome checks certificates for the site appear in public CT logs.
69989 X-Cache Used by CDN's to specify whether resource in CDN cache matches server resource
60055 set-cookie Assigns cookies from Server to Client
55989 Age Time in seconds resource has been in proxy cache
55051 Upgrade One way to switch from HTTP to HTTPS
49089 Content-Language Describes the language(s) intended for the document
42722 P3P Privacy Protocol that was not widely adopted
42154 Content-Security-Policy CSP Controls which resources the client can load for the page
39768 Via Added by proxies. Can be used for both forward and reverse proxies (requests & responses)
37745 Alt-Svc List other ways to access service
32840 X-AspNet-Version Specifies the version of ASP.NET being used
30872 Access-Control-Allow-Origin Details whether the response can be shared.
30672 X-UA-Compatible Compatiability header for old versions of Microsoft Internet Explorer (IE) and Edge
29572 Referrer-Policy Rules which referrer information sent in the referrer header is incorporated with requests
25911 Report-To Header used for adding troubleshooting information??
25813 NEL An option for developers to set network error reporting.
22163 X-Download-Options Specific to IE8. Stops downloads opening directly in browser.
20996 X-Permitted-Cross-Domain-Policies  
19013 X-Proxy-Cache Enable caching in NGINX reverse proxy
18618 Etag Used for HTTP Cache validation and conditional requests using If-Match and If-None-Match
18605 X-Request-Id Unique request ID that associates HTTP requests between a client and a server.
17921 X-Cacheable Non-standard header related to caching, use can vary between different proxy & cdn networks
17533 X-Dc  
17528 X-Sorting-Hat-PodId Shopify Related
17526 X-Shopify-Stage Shopify Related
17371 X-ShopId Shopify Related
17367 X-Sorting-Hat-ShopId Shopify Related
17358 X-ShardId Shopify Related
17122 X-Alternate-Cache-Key Shopify Related
12610 X-Cache-Hits Data successfully located in cache memory
12322 X-Varnish ID of the current request and the ID of the request that populated the Varnish cache
11081 X-Pass-Why provides reason for a 'MISS' result in the x-cache
11055 X-Generator exposes information/meta data about the site such as version of software
10971 X-Cache-Group Tags the clients about the cache-group to which they belong
10806 X-Powered-By-Plesk Plesk Hosting Software
10672 X-AspNetMvc-Version Shows the version of the framework
10542 X-Powered-CMS Exposes name and version of CMS
10422 X-Served-By Caching related
10282 expires Contains the date/time after which the response object is considered stale
10198 X-Amz-Cf-Pop Amazon CloudFront
10086 X-Amz-Cf-Id Amazon CloudFront ID (CloudFront requires this information for debugging.)
9850 X-Drupal-Cache Indicates if request was served from Drupal Cache (Hit or Miss)
9469 X-Xss-Protection Internet explorer header compatibility filter for blocking XSS
8999 Server-Timing Conveys information for the request-response cycle
8825 content-encoding Header specifying compression (gzip / compress / deflates etc)
8787 X-Timer A "Fastly" header: end to end request timing information
8641 X-Runtime reveals time application takes to serve a request
8601 X-ac WordPress.com related
8467 Host-Header Maybe same as "Host:" header?
8293 Access-Control-Allow-Headers  
8238 server info incl version on software used by server
8127 date  
7676 X-hacker Recruitment 'ad' by automattic.com
7662 Access-Control-Allow-Methods  
7523 X-LiteSpeed-Cache  
7347 X-Turbo-Charged-By Added when clouflare is used
6763 strict-transport-security HSTS informs browser to use HTTPS not HTTP
6725 etag Identifies object (and version) for caching purposes
6431 X-Robots-Tag Allows you to choose content search engines can crawl on the site
5897 X-Seen-By  
5894 X-Wix-Request-Id Wix hosting request ID
5894 x-contextid  
5578 X-Mod-Pagespeed Module for apache (and nginx) to increase performance
5341 X-Cache-Status  
5339 Status Non-standard HTTP response status (Status: 200 OK)
5173 X-Server-Cache Non-standard caching related
5099 x-ray CloudFlare Releated
4889 Cache-control Specifies requests and responses caching mechanisms
4525 X-Cache-Enabled Cache Enabled (True / False)
4407 Access-Control-Allow-Credentials Header tells browser whether to expose the response to frontend JavaScript
4335 X-Server-Powered-By Exposes server side software
4311 X-Adblock-Key Sites use this to bypass ad blocker plugins
4311 X-Host Non-standard host header
4311 X-Nginx-Cache-Status Nginx Caching Header

Non-Standard Headers

In the above table there are a significant number of HTTP Headers that have "X-" apppended to the header. This denotes the header is non-standard. It is not a part of the HTTP standard but is often used by web servers, web applications, and caching systems to pass information between the server / application and the browser.

Have you seen our other Free IP and Network Testing tools.

Discover. Explore. Learn.

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Remove limits with a full membership

More info available