Review the HTTP Headers from a web server with this quick check.
Valid Input: IPv4 example.com https://example.com
Reviewing HTTP Headers
A great deal of information can be gathered in a check of the HTTP Headers from a web server. Server side software can be identified often down to the exact version running. Cookie strings, web application technologies, and other data can be gathered from the HTTP Header. This information can be used when troubleshooting or when planning an attack against the web server.
HTTP Header Check API
In addition to the web form above, we offer a second way to access the HTTP headers of any web site. Our HTTP Header API will trigger our system to get the headers and display them in a simple Text based output. Access the API using a web browser, curl, or any scripting language.
https://api.hackertarget.com/httpheaders/?q=http://www.google.com
This query will display the HTTP headers from www.google.com. Notice that if the web server sends a redirect 301 or a 302 the system will follow the redirect and display each set of HTTP Headers.
The API is simple to use and aims to be a quick reference tool. As a Free user you may perform up to 20 queries per day or you can Increase daily quote with a Full Membership.
List of Common HTTP Headers
By compiling all HTTP Headers from the top 1 million websites we have generated a list of the 100 most common HTTP Response Headers. Use this reference to quickly understand the use cases for the different HTTP headers.
Note that these are the response headers, meaning those found in the response from the HTTP server after a browser makes a request.
100 most Common HTTP Response Headers
| Count | HTTP Header | Description |
|---|---|---|
| 834082 | Content-Type | Denotes the type of media |
| 833384 | Date | Date and Time from the response |
| 786517 | Server | Information about the Server Software |
| 753241 | Set-Cookie | Assigns cookies from Server to Client |
| 714923 | Connection | Controls network connection |
| 706267 | Content-Encoding | Specifies compression type |
| 628732 | Vary | Details how to determine if cache can be used rather than a new response from server |
| 518756 | Cache-Control | Details caching options in requests and responses |
| 501318 | Transfer-Encoding | Encoding to be used for transfer of data |
| 368014 | Expires | Specifies when the response becomes "stale" |
| 334063 | Content-Length | Size of resource in number of bytes |
| 307086 | X-Powered-By | Hosting and Backend Server Frameworks may use this. Can reveal sensitive information (version and software). |
| 298609 | Link | Serialising one or more links in HTTP headers |
| 235691 | Pragma | Related to caching, may be implemented in different ways. |
| 226452 | Keep-Alive | Specifies how long a persistent connection stays open |
| 208912 | Last-Modified | Last modification date of resource. Used for caching. |
| 157980 | X-Content-Type-Options | Disables MIME Sniffing and forces browser to use type shown in Content-Type |
| 128658 | CF-RAY | CloudFlare Header. A hashed value encoding information about the data center and the request. |
| 128187 | ETag | Cache Validation Tag. Also used for tracking users with cookies disabled. |
| 127715 | X-Frame-Options | Specifies whether browser should show page in an iFrame |
| 126487 | CF-Cache-Status | CloudFlare header shows whether a resource is cached |
| 122831 | Accept-Ranges | |
| 119876 | Strict-Transport-Security | Force communication to use HTTS (not HTTP) |
| 118843 | X-XSS-Protection | Enables Cross Site Scripting (XSS) filtering |
| 104121 | Expect-CT | Reporting and enforcement of Certificate Transparency. Prevents the use of mis-issued certificates for the site. When enabled the Expect-CT header requests that Chrome checks certificates for the site appear in public CT logs. |
| 69989 | X-Cache | Used by CDN's to specify whether resource in CDN cache matches server resource |
| 60055 | set-cookie | Assigns cookies from Server to Client |
| 55989 | Age | Time in seconds resource has been in proxy cache |
| 55051 | Upgrade | One way to switch from HTTP to HTTPS |
| 49089 | Content-Language | Describes the language(s) intended for the document |
| 42722 | P3P | Privacy Protocol that was not widely adopted |
| 42154 | Content-Security-Policy CSP | Controls which resources the client can load for the page |
| 39768 | Via | Added by proxies. Can be used for both forward and reverse proxies (requests & responses) |
| 37745 | Alt-Svc | List other ways to access service |
| 32840 | X-AspNet-Version | Specifies the version of ASP.NET being used |
| 30872 | Access-Control-Allow-Origin | Details whether the response can be shared. |
| 30672 | X-UA-Compatible | Compatiability header for old versions of Microsoft Internet Explorer (IE) and Edge |
| 29572 | Referrer-Policy | Rules which referrer information sent in the referrer header is incorporated with requests |
| 25911 | Report-To | Header used for adding troubleshooting information?? |
| 25813 | NEL | An option for developers to set network error reporting. |
| 22163 | X-Download-Options | Specific to IE8. Stops downloads opening directly in browser. |
| 20996 | X-Permitted-Cross-Domain-Policies | |
| 19013 | X-Proxy-Cache | Enable caching in NGINX reverse proxy |
| 18618 | Etag | Used for HTTP Cache validation and conditional requests using If-Match and If-None-Match |
| 18605 | X-Request-Id | Unique request ID that associates HTTP requests between a client and a server. |
| 17921 | X-Cacheable | Non-standard header related to caching, use can vary between different proxy & cdn networks |
| 17533 | X-Dc | |
| 17528 | X-Sorting-Hat-PodId | Shopify Related |
| 17526 | X-Shopify-Stage | Shopify Related |
| 17371 | X-ShopId | Shopify Related |
| 17367 | X-Sorting-Hat-ShopId | Shopify Related |
| 17358 | X-ShardId | Shopify Related |
| 17122 | X-Alternate-Cache-Key | Shopify Related |
| 12610 | X-Cache-Hits | Data successfully located in cache memory |
| 12322 | X-Varnish | ID of the current request and the ID of the request that populated the Varnish cache |
| 11081 | X-Pass-Why | provides reason for a 'MISS' result in the x-cache |
| 11055 | X-Generator | exposes information/meta data about the site such as version of software |
| 10971 | X-Cache-Group | Tags the clients about the cache-group to which they belong |
| 10806 | X-Powered-By-Plesk | Plesk Hosting Software |
| 10672 | X-AspNetMvc-Version | Shows the version of the framework |
| 10542 | X-Powered-CMS | Exposes name and version of CMS |
| 10422 | X-Served-By | Caching related |
| 10282 | expires | Contains the date/time after which the response object is considered stale |
| 10198 | X-Amz-Cf-Pop | Amazon CloudFront |
| 10086 | X-Amz-Cf-Id | Amazon CloudFront ID (CloudFront requires this information for debugging.) |
| 9850 | X-Drupal-Cache | Indicates if request was served from Drupal Cache (Hit or Miss) |
| 9469 | X-Xss-Protection | Internet explorer header compatibility filter for blocking XSS |
| 8999 | Server-Timing | Conveys information for the request-response cycle |
| 8825 | content-encoding | Header specifying compression (gzip / compress / deflates etc) |
| 8787 | X-Timer | A "Fastly" header: end to end request timing information |
| 8641 | X-Runtime | reveals time application takes to serve a request |
| 8601 | X-ac | WordPress.com related |
| 8467 | Host-Header | Maybe same as "Host:" header? |
| 8293 | Access-Control-Allow-Headers | |
| 8238 | server | info incl version on software used by server |
| 8127 | date | |
| 7676 | X-hacker | Recruitment 'ad' by automattic.com |
| 7662 | Access-Control-Allow-Methods | |
| 7523 | X-LiteSpeed-Cache | |
| 7347 | X-Turbo-Charged-By | Added when clouflare is used |
| 6763 | strict-transport-security | HSTS informs browser to use HTTPS not HTTP |
| 6725 | etag | Identifies object (and version) for caching purposes |
| 6431 | X-Robots-Tag | Allows you to choose content search engines can crawl on the site |
| 5897 | X-Seen-By | |
| 5894 | X-Wix-Request-Id | Wix hosting request ID |
| 5894 | x-contextid | |
| 5578 | X-Mod-Pagespeed | Module for apache (and nginx) to increase performance |
| 5341 | X-Cache-Status | |
| 5339 | Status | Non-standard HTTP response status (Status: 200 OK) |
| 5173 | X-Server-Cache | Non-standard caching related |
| 5099 | x-ray | CloudFlare Releated |
| 4889 | Cache-control | Specifies requests and responses caching mechanisms |
| 4525 | X-Cache-Enabled | Cache Enabled (True / False) |
| 4407 | Access-Control-Allow-Credentials | Header tells browser whether to expose the response to frontend JavaScript |
| 4335 | X-Server-Powered-By | Exposes server side software |
| 4311 | X-Adblock-Key | Sites use this to bypass ad blocker plugins |
| 4311 | X-Host | Non-standard host header |
| 4311 | X-Nginx-Cache-Status | Nginx Caching Header |