Review the HTTP Headers from a web server with this quick check.

Valid Input www.example.com https://example.com


Remove limits & captcha with membership

Reviewing HTTP Headers

A great deal of information can be gathered in a check of the HTTP Headers from a web server. Server side software can be identified often down to the exact version running. Cookie strings, web application technologies, and other data can be gathered from the HTTP Header. This information can be used when troubleshooting or when planning an attack against the web server.

HTTP Header Check API

In addition to the web form above, we offer a second way to access the HTTP headers of any web site. Our HTTP Header API will trigger our system to get the headers and display them in a simple Text based output. Access the API using a web browser, curl, or any scripting language.

https://api.hackertarget.com/httpheaders/?q=http://www.google.com

This query will display the HTTP headers from www.google.com. Notice that if the web server sends a redirect 301 or a 302 the system will follow the redirect and display each set of HTTP Headers.

The API is simple to use and aims to be a quick reference tool. As a Free user you may perform up to 20 queries per day or you can Increase daily quote with a Full Membership.

List of Common HTTP Headers

By compiling all HTTP Headers from the top 1 million websites we have generated a list of the 100 most common HTTP Response Headers. Use this reference to quickly understand the use cases for the different HTTP headers.

Note that these are the response headers, meaning those found in the response from the HTTP server after a browser makes a request.

100 most Common HTTP Response Headers

CountHTTP HeaderDescription
834082Content-TypeDenotes the type of media
833384DateDate and Time from the response
786517ServerInformation about the Server Software
753241Set-CookieAssigns cookies from Server to Client
714923ConnectionControls network connection
706267Content-EncodingSpecifies compression type
628732VaryDetails how to determine if cache can be used rather than a new response from server
518756Cache-ControlDetails caching options in requests and responses
501318Transfer-EncodingEncoding to be used for transfer of data
368014ExpiresSpecifies when the response becomes "stale"
334063Content-LengthSize of resource in number of bytes
307086X-Powered-ByHosting and Backend Server Frameworks may use this. Can reveal sensitive information (version and software).
298609LinkSerialising one or more links in HTTP headers
235691PragmaRelated to caching, may be implemented in different ways.
226452Keep-AliveSpecifies how long a persistent connection stays open
208912Last-ModifiedLast modification date of resource. Used for caching.
157980X-Content-Type-OptionsDisables MIME Sniffing and forces browser to use type shown in Content-Type
128658CF-RAYCloudFlare Header. A hashed value encoding information about the data center and the request.
128187ETagCache Validation Tag. Also used for tracking users with cookies disabled.
127715X-Frame-OptionsSpecifies whether browser should show page in an iFrame
126487CF-Cache-StatusCloudFlare header shows whether a resource is cached
122831Accept-Ranges 
119876Strict-Transport-SecurityForce communication to use HTTS (not HTTP)
118843X-XSS-ProtectionEnables Cross Site Scripting (XSS) filtering
104121Expect-CTReporting and enforcement of Certificate Transparency. Prevents the use of mis-issued certificates for the site. When enabled the Expect-CT header requests that Chrome checks certificates for the site appear in public CT logs.
69989X-CacheUsed by CDN's to specify whether resource in CDN cache matches server resource
60055set-cookieAssigns cookies from Server to Client
55989AgeTime in seconds resource has been in proxy cache
55051UpgradeOne way to switch from HTTP to HTTPS
49089Content-LanguageDescribes the language(s) intended for the document
42722P3PPrivacy Protocol that was not widely adopted
42154Content-Security-Policy CSPControls which resources the client can load for the page
39768ViaAdded by proxies. Can be used for both forward and reverse proxies (requests & responses)
37745Alt-SvcList other ways to access service
32840X-AspNet-VersionSpecifies the version of ASP.NET being used
30872Access-Control-Allow-OriginDetails whether the response can be shared.
30672X-UA-CompatibleCompatiability header for old versions of Microsoft Internet Explorer (IE) and Edge
29572Referrer-PolicyRules which referrer information sent in the referrer header is incorporated with requests
25911Report-ToHeader used for adding troubleshooting information??
25813NELAn option for developers to set network error reporting.
22163X-Download-OptionsSpecific to IE8. Stops downloads opening directly in browser.
20996X-Permitted-Cross-Domain-Policies 
19013X-Proxy-CacheEnable caching in NGINX reverse proxy
18618EtagUsed for HTTP Cache validation and conditional requests using If-Match and If-None-Match
18605X-Request-IdUnique request ID that associates HTTP requests between a client and a server.
17921X-CacheableNon-standard header related to caching, use can vary between different proxy & cdn networks
17533X-Dc 
17528X-Sorting-Hat-PodIdShopify Related
17526X-Shopify-StageShopify Related
17371X-ShopIdShopify Related
17367X-Sorting-Hat-ShopIdShopify Related
17358X-ShardIdShopify Related
17122X-Alternate-Cache-KeyShopify Related
12610X-Cache-HitsData successfully located in cache memory
12322X-VarnishID of the current request and the ID of the request that populated the Varnish cache
11081X-Pass-Whyprovides reason for a 'MISS' result in the x-cache
11055X-Generatorexposes information/meta data about the site such as version of software
10971X-Cache-GroupTags the clients about the cache-group to which they belong
10806X-Powered-By-PleskPlesk Hosting Software
10672X-AspNetMvc-VersionShows the version of the framework
10542X-Powered-CMSExposes name and version of CMS
10422X-Served-ByCaching related
10282expiresContains the date/time after which the response object is considered stale
10198X-Amz-Cf-PopAmazon CloudFront
10086X-Amz-Cf-IdAmazon CloudFront ID (CloudFront requires this information for debugging.)
9850X-Drupal-CacheIndicates if request was served from Drupal Cache (Hit or Miss)
9469X-Xss-ProtectionInternet explorer header compatibility filter for blocking XSS
8999Server-TimingConveys information for the request-response cycle
8825content-encodingHeader specifying compression (gzip / compress / deflates etc)
8787X-TimerA "Fastly" header: end to end request timing information
8641X-Runtimereveals time application takes to serve a request
8601X-acWordPress.com related
8467Host-HeaderMaybe same as "Host:" header?
8293Access-Control-Allow-Headers 
8238serverinfo incl version on software used by server
8127date 
7676X-hackerRecruitment 'ad' by automattic.com
7662Access-Control-Allow-Methods 
7523X-LiteSpeed-Cache 
7347X-Turbo-Charged-ByAdded when clouflare is used
6763strict-transport-securityHSTS informs browser to use HTTPS not HTTP
6725etagIdentifies object (and version) for caching purposes
6431X-Robots-TagAllows you to choose content search engines can crawl on the site
5897X-Seen-By 
5894X-Wix-Request-IdWix hosting request ID
5894x-contextid 
5578X-Mod-PagespeedModule for apache (and nginx) to increase performance
5341X-Cache-Status 
5339StatusNon-standard HTTP response status (Status: 200 OK)
5173X-Server-CacheNon-standard caching related
5099x-rayCloudFlare Releated
4889Cache-controlSpecifies requests and responses caching mechanisms
4525X-Cache-EnabledCache Enabled (True / False)
4407Access-Control-Allow-CredentialsHeader tells browser whether to expose the response to frontend JavaScript
4335X-Server-Powered-ByExposes server side software
4311X-Adblock-KeySites use this to bypass ad blocker plugins
4311X-HostNon-standard host header
4311X-Nginx-Cache-StatusNginx Caching Header

Non-Standard Headers

In the above table there are a significant number of HTTP Headers that have "X-" apppended to the header. This denotes the header is non-standard. It is not a part of the HTTP standard but is often used by web servers, web applications, and caching systems to pass information between the server / application and the browser.

Automated Security Vulnerability Scans.

Discover. Investigate. Learn.

Use Cases

Website Recon?

Fingerprint Web App
Technologies in Bulk

Whatweb / Wappalyzer

Remove limits with a full membership

More info available

Membership