Review the HTTP Headers from a web server with this quick check.
Valid Input: IPv4 example.com https://example.com
Reviewing HTTP Headers
A great deal of information can be gathered in a check of the HTTP Headers from a web server. Server side software can be identified often down to the exact version running. Cookie strings, web application technologies, and other data can be gathered from the HTTP Header. This information can be used when troubleshooting or when planning an attack against the web server.
HTTP Header Check API
In addition to the web form above, we offer a second way to access the HTTP headers of any web site. Our HTTP Header API will trigger our system to get the headers and display them in a simple Text based output. Access the API using a web browser, curl, or any scripting language.
https://api.hackertarget.com/httpheaders/?q=http://www.google.com
This query will display the HTTP headers from www.google.com. Notice that if the web server sends a redirect 301 or a 302 the system will follow the redirect and display each set of HTTP Headers.
The API is simple to use and aims to be a quick reference tool. As a Free user you may perform up to 20 queries per day or you can Increase daily quote with a Full Membership.
List of Common HTTP Headers
By compiling all HTTP Headers from the top 1 million websites we have generated a list of the 100 most common HTTP Response Headers. Use this reference to quickly understand the use cases for the different HTTP headers.
Note that these are the response headers, meaning those found in the response from the HTTP server after a browser makes a request.
Top 100 HTTP Response Headers
| HTTP Header | Count | Description |
|---|---|---|
| Content-Type | 834082 | Denotes the type of media (e.g. text/html , application/json ) |
| Date | 833384 | Date and Time the server generated the response. Case variant of date |
| Server | 786517 | Information about the Server Software |
| Set-Cookie | 753241 | Assigns cookies from Server to Client. Case variant of set-cookie : capitalisation varies across server software. |
| Connection | 714923 | Controls network connection keep-alive / close. |
| Content-Encoding | 706267 | Specifies compression type (e.g gzip). Case variant of content-encoding |
| Vary | 628732 | Tells caches to store different versions of the response based on request headers. |
| Cache-Control | 518756 | Details caching options in requests and responses. Case variant of Cache-control |
| Transfer-Encoding | 501318 | Encoding to be used for transfer of data |
| Expires | 368014 | Legacy: defines a date/time after which the response is stale. Cache-Control is preferred and overrides it when present. Case variant of expires |
| Content-Length | 334063 | Size of resource in number of bytes |
| X-Powered-By | 307086 | Reveals backend framework and version. Can reveal sensitive information (version and software). |
| Link | 298609 | Defines typed links ( rel= ) to related resources (e.g. preload, prefetch, pagination). |
| Pragma | 235691 | HTTP/1.0 compatibility cache header (no-cache). Used alongside Cache-Control for backward compatibility. |
| Keep-Alive | 226452 | Specifies how long a persistent connection stays open |
| Last-Modified | 208912 | Last modification date of resource. Used for caching. |
| X-Content-Type-Options | 157980 | Disables MIME Sniffing and forces browser to use type shown in Content-Type |
| CF-RAY | 128658 | Cloudflare Header. A hashed value encoding information about the data center and the request. |
| ETag | 128187 | Cache validation tag that identifies a specific version of a resource, used by caches to validate whether content has changed. Case variant of etag / Etag |
| X-Frame-Options | 127715 | Legacy clickjacking control that restricts iframe embedding. Replaced by CSP (frame-ancestors) but still commonly deployed and enforced by browsers. |
| CF-Cache-Status | 126487 | Cloudflare: whether the asset was served from cache (HIT, MISS, EXPIRED, BYPASS, etc.). |
| Accept-Ranges | 122831 | Indicates support for range requests (usually bytes), allowing clients to request parts of a resource. |
| Strict-Transport-Security | 119876 | Forces communication to use HTTPS (not HTTP). Case variant of strict-transport-security |
| X-XSS-Protection | 118843 | Deprecated and no longer enforced by modern browsers. Replace with CSP. (Enabled Cross Site Scripting (XSS) filtering) |
| Expect-CT | 104121 | Deprecated. Browsers now enforce Certificate Transparency automatically. (Reported and enforced Certificate Transparency). |
| X-Cache | 69989 | Used by CDN's to specify whether resource in CDN cache matches server resource |
| set-cookie | 60055 | Assigns cookies from server to client. Case variant of Set-Cookie : servers differ in header capitalisation. |
| Age | 55989 | Time in seconds resource has been in proxy cache |
| Upgrade | 55051 | One way to switch from HTTP to HTTPS |
| Content-Language | 49089 | Describes the language(s) intended for the document |
| P3P | 42722 | Deprecated privacy framework. Limited adoption. Occasionally present in legacy systems. |
| Content-Security-Policy | 42154 | CSP: Controls which resources the client can load for the page. e.g scripts, styles, images and other resources. |
| Via | 39768 | Added by proxies. Can be used for both forward and reverse proxies (requests & responses) |
| Alt-Svc | 37745 | List other ways to access service. e.g HTTP/3 on a different port or host. |
| X-AspNet-Version | 32840 | Specifies the version of ASP.NET being used |
| Access-Control-Allow-Origin | 30872 | CORS header specifying which origins can access the response (* or a explicit origin). |
| X-UA-Compatible | 30672 | Obsolete header used to control Internet Explorer rendering mode (e.g. IE=edge). Ignored by modern browsers. |
| Referrer-Policy | 29572 | Controls how much referrer information is included with outbound requests. |
| Report-To | 25911 | Configures endpoints where browsers send reports (e.g. CSP violations, network errors, deprecations). Being replaced by Reporting-Endpoints |
| NEL | 25813 | Network Error Logging: instructs browser to report network errors (e.g DNS, TCP, TLS failures) to a reporting endpoint. |
| X-Download-Options | 22163 | Obsolete IE-only header (noopen) that forces downloads to be saved. Still appears in legacy environments. |
| X-Permitted-Cross-Domain-Policies | 20996 | Obsolete Adobe Flash policy header. Flash is EOL but it still appears in legacy configurations and default templates |
| X-Proxy-Cache | 19013 | Custom header indicating reverse proxy cache status (e.g. HIT, MISS). Common in NGINX and similar caching setups. |
| Etag | 18618 | Cache validation tag that identifies a specific version of a resource, used by caches to validate whether content has changed. Case variant of etag / ETag |
| X-Request-Id | 18605 | Unique request ID that associates HTTP requests between a client, server and logs. |
| X-Cacheable | 17921 | Custom header indicating cacheability. Behaviour varies by proxy/CDN. |
| X-Dc | 17533 | Custom header indicating which data centre served the request. Usage varies by platform |
| X-Sorting-Hat-PodId | 17528 | Identifies the Shopify pod handling the request for internal load balancing. |
| X-Shopify-Stage | 17526 | Indicates the Shopify environment stage (e.g. production, staging). |
| X-ShopId | 17371 | Identifies the Shopify store ID associated with the request. |
| X-Sorting-Hat-ShopId | 17367 | Maps the shop ID to a pod for internal Shopify request routing. |
| X-ShardId | 17358 | Identifies the database shard handling the shop's data. |
| X-Alternate-Cache-Key | 17122 | Shopify caching header that provides an alternative key for CDN cache invalidation |
| X-Cache-Hits | 12610 | Custom header showing cache hit count. Behaviour varies by proxy/CDN. |
| X-Varnish | 12322 | Varnish specific header containing request IDs. On cache hits, includes the ID of the request that populated the cache |
| X-Pass-Why | 11081 | Custom header explaining why a request bypassed the cache rather than being served from it. |
| X-Generator | 11055 | Custom header exposing CMS/framework (sometimes version). Common recon vector & often removed. |
| X-Cache-Group | 10971 | Custom header indicating cache grouping or internal cache logic. Meaning varies by proxy/CDN. |
| X-Powered-By-Plesk | 10806 | Custom header exposing Plesk hosting. |
| X-AspNetMvc-Version | 10672 | Exposes ASP.NET MVC version. Typically disabled in production. |
| X-Powered-CMS | 10542 | Custom header exposing CMS (sometimes version). Often removed. |
| X-Served-By | 10422 | Identifies the CDN, cache, or proxy node that handled the request. |
| expires | 10282 | Legacy: defines a date/time after which the response is stale. Cache-Control is preferred and overrides it when present. Case variant of Expires |
| X-Amz-Cf-Pop | 10198 | Identifies the Amazon CloudFront edge location (Point of Presence -POP) that served the request. |
| X-Amz-Cf-Id | 10086 | Unique identifier for requests handled by Amazon CloudFront, used for debugging and tracing. |
| X-Drupal-Cache | 9850 | Indicates whether the response was served from Drupal’s cache (HIT or MISS). |
| X-Xss-Protection | 9469 | Deprecated and no longer enforced by modern browsers. Replace with CSP. (Enabled Cross Site Scripting (XSS) filtering) |
| Server-Timing | 8999 | Exposes server-side timing metrics (backend, cache, DB), useful for performance debugging. |
| content-encoding | 8825 | Specifies compression type (e.g gzip). Case variant of Content-Encoding |
| X-Timer | 8787 | Fastly header showing request timing broken down into start time, time to first byte, and total duration. |
| X-Runtime | 8641 | Shows application processing time (seconds). Useful for backend performance insight. |
| X-ac | 8601 | WordPress.com/Automattic header showing cache status and data centre. |
| Host-Header | 8467 | Custom header with undefined meaning. Possibly related to Host handling. |
| Access-Control-Allow-Headers | 8293 | CORS header listing request headers allowed in cross-origin requests (preflight). |
| server | 8238 | Information about the Server Software. Case variant of Server |
| date | 8127 | Date and Time the server generated the response. Case variant of Date |
| X-hacker | 7676 | Recruitment 'ad' by automattic.com |
| Access-Control-Allow-Methods | 7662 | CORS preflight header listing the HTTP methods permitted for cross-origin requests (e.g. GET, POST, PUT, DELETE) |
| X-LiteSpeed-Cache | 7523 | LiteSpeed web server cache status header (hit, miss, no-cache). |
| X-Turbo-Charged-By | 7347 | LiteSpeed header indicating server platform. |
| strict-transport-security | 6763 | HSTS informs browser to use HTTPS not HTTP. Case variant of Strict-Transport-Security |
| etag | 6725 | Cache validation tag that identifies a specific version of a resource, used by caches to validate whether content has changed. Case variant of Etag / ETag |
| X-Robots-Tag | 6431 | Controls search engine crawling and indexing for a response (e.g. noindex, nofollow). |
| X-Seen-By | 5897 | Custom header listing nodes that processed the request. |
| X-Wix-Request-Id | 5894 | Unique Wix request ID used for debugging and tracing. |
| x-contextid | 5894 | Custom header with a request/context ID for tracing. |
| X-Mod-Pagespeed | 5578 | Header showing PageSpeed optimisation is active (mod_pagespeed/ngx_pagespeed). |
| X-Cache-Status | 5341 | Custom header indicating cache status. |
| Status | 5339 | Non-standard HTTP response status (Status: 200 OK) |
| X-Server-Cache | 5173 | Custom header showing cache status or behaviour. |
| x-ray | 5099 | Non-standard header with no defined meaning. |
| Cache-control | 4889 | Specifies requests and responses caching mechanisms. Case variant of Cache-Control |
| X-Cache-Enabled | 4525 | Custom header indicating whether caching is enabled (true / false) |
| Access-Control-Allow-Credentials | 4407 | CORS header that tells the browser whether to expose the response to JavaScript when credentials such as cookies or auth headers are included. |
| X-Server-Powered-By | 4335 | Exposes server side software. Often removed in hardened configs. |
| X-Adblock-Key | 4311 | Used by some sites to detect or bypass ad-blocking browser extensions. |
| X-Host | 4311 | Custom header carrying host or routing information. |
| X-Nginx-Cache-Status | 4311 | NGINX cache status header (HIT, MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED). |
Non-Standard Headers
In the above table there are a significant number of HTTP Headers that have "X-" apppended to the header. This denotes the header is non-standard. It is not a part of the HTTP standard but is often used by web servers, web applications, and caching systems to pass information between the server / application and the browser.Discover
Vulnerability Scans and Network Intelligence
Use CasesWebsite Recon
Fingerprint Web App Technologies in Bulk
Whatweb/WappalyzerGet Access
28 vulnerability scanners and network tools
Membership