How to Check HTTP Headers of Any Request (Browser, cURL & Online Tool)
HTTP headers carry critical information that controls authentication, content negotiation, caching, CORS permissions, and security policies. When something breaks — a 401 error, a CORS block, a caching problem — the answer is almost always hiding in the headers. Here are 4 concrete ways to check them, from beginner-friendly to power-user.
4 ways
To inspect HTTP headers
0 install
Required for browser method
Free
Online HTTP header analyzer
How to Check HTTP Headers in Chrome DevTools
Chrome DevTools is the fastest way to inspect HTTP headers for any request your browser makes. It requires no installation and works on any website or API call. Every request and response header is captured automatically from the moment DevTools is open.
Open Chrome DevTools
Press F12 (Windows/Linux) or Cmd+Option+I (Mac) on any page. You can also right-click anywhere and select "Inspect".
Go to the Network tab
Click the "Network" tab at the top of the DevTools panel. If it is empty, reload the page — DevTools must be open before the request fires to capture it.
Click on any request
Find the request you want to inspect in the list on the left. Click its name to open the detail panel. For API calls, filter by "Fetch/XHR" using the filter buttons.
Open the Headers panel
Click the "Headers" sub-tab in the request detail panel. You will see two sections: Response Headers (what the server sent back) and Request Headers (what your browser sent).
HTTP/2 200 OK
content-type: application/json; charset=utf-8
cache-control: public, max-age=3600, s-maxage=86400
content-encoding: gzip
access-control-allow-origin: https://yourdomain.com
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
vary: Accept-Encoding, Origin
etag: "33a64df551425fcc55e4d42a148795d9f25f89d"Pro tip
Use the filter bar at the top of the Headers panel to search for a specific header name. Type "cache" to find Cache-Control, or "access" to jump to CORS headers immediately without scrolling through dozens of entries.
The "View source" toggle at the top of the Headers section shows the raw HTTP/1.1 or HTTP/2 format instead of the parsed key-value view — useful when you need to copy exact header values including capitalization.
How to Check HTTP Headers with cURL
cURL is the standard command-line tool for making HTTP requests and inspecting headers without a browser. It works in any terminal and is pre-installed on macOS and most Linux distributions. Windows users can get it via WSL or the standalone binary.
# -I sends a HEAD request — fetches headers without downloading the body
curl -I https://example.com
# Output:
# HTTP/2 200
# content-encoding: gzip
# accept-ranges: bytes
# age: 408765
# cache-control: max-age=604800
# content-type: text/html; charset=UTF-8
# date: Mon, 13 Apr 2026 08:00:00 GMT
# etag: "3147526947"# -v shows the full conversation: request headers sent + response headers received
curl -v https://example.com
# Lines starting with > are request headers you sent
# Lines starting with < are response headers you received
# Lines starting with * are cURL metadata (TLS, connection info)
# To suppress the body and only see headers:
curl -v -o /dev/null https://example.com 2>&1 | grep -E "^[<>*]"# Use -H to add request headers
curl -H "Authorization: Bearer eyJhbGc..." -H "Content-Type: application/json" -H "Accept: application/json" -v https://api.example.com/users
# Send POST with body and custom headers
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer your_token" -d '{"name":"Alice"}' -v https://api.example.com/usersWrong vs correct cURL for header inspection
Missing flags
# This only shows the body — you see no headers
curl https://example.comCorrect flags
# -I for HEAD request (headers only, no body)
curl -I https://example.com
# -v for full verbose output (request + response headers)
curl -v https://example.com
# -D - to dump response headers to stdout (and still get body)
curl -D - https://example.comHow to Check HTTP Headers in Firefox
Firefox has a built-in Network Monitor that shows headers in a clean, structured format. The interface is slightly different from Chrome but equally powerful — and Firefox sometimes shows header information that Chrome's DevTools hides.
Open Firefox DevTools
Press F12 or Ctrl+Shift+I (Windows/Linux) or Cmd+Option+I (Mac). The DevTools panel opens at the bottom or side of the browser.
Go to the Network tab
Click the "Network" tab. Firefox calls this the "Network Monitor". Reload the page to start capturing requests.
Find and click your request
Click any request in the list. For API calls, use the "XHR" filter to narrow down fetch and XMLHttpRequest calls only.
View headers in the right panel
The right panel shows "Headers", "Cookies", "Request", "Response", and "Timings" tabs. Click "Headers" to see the full request and response header breakdown.
Use the Raw Headers toggle
Firefox has a "Raw" toggle that shows the exact HTTP wire format — useful for debugging HTTP/1.1 vs HTTP/2 differences.
Firefox advantage
How to Analyze HTTP Headers Online (Without a Browser)
Sometimes you need to inspect headers from a server you can't open in your browser directly — a third-party API, a server behind a firewall, or a production endpoint you want to audit without triggering authentication flows. An online HTTP header analyzer solves this instantly.
Free HTTP Headers Analyzer
Copy headers from DevTools or cURL
In Chrome DevTools: right-click any response header → "Copy response headers". With cURL: run curl -I https://yoursite.com and copy the output.
Paste into the analyzer
Go to unblockdevs.com/http-headers-analyzer and paste the raw headers into the input box. The analyzer accepts both HTTP/1.1 and HTTP/2 formats.
Get your security grade
The analyzer grades headers from A+ (excellent) to F (critical issues). Each missing or misconfigured header is flagged with a clear explanation.
See exactly what is missing
The analyzer checks for CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — and shows copy-paste fixes for each.
Content-Security-Policy
Prevents XSS attacks by controlling which scripts, styles, and resources can load.
Strict-Transport-Security
Forces HTTPS connections and prevents protocol downgrade attacks.
X-Frame-Options
Prevents your site from being embedded in iframes — stops clickjacking attacks.
X-Content-Type-Options
Prevents MIME-type sniffing — browsers must respect the declared Content-Type.
Referrer-Policy
Controls how much referrer information is sent to other sites when users navigate away.
Permissions-Policy
Controls which browser features (camera, mic, geolocation) the page can access.
How to Read HTTP Response Headers Correctly
Understanding what each header means is the key to debugging effectively. Here is a full annotated example of a real-world HTTP/2 response with all key headers explained.
HTTP/2 200
# ↑ Protocol version + status code
content-type: application/json; charset=utf-8
# ↑ What format the body is in. charset=utf-8 prevents encoding bugs.
# Missing this → browser or client may misparse the body.
cache-control: public, max-age=3600, s-maxage=86400
# ↑ How long to cache: 1 hour in browser, 24 hours in CDN.
# "no-store" = never cache. "no-cache" = revalidate every time.
authorization: Bearer eyJhbGciOiJSUzI1NiJ9...
# ↑ NOT in response headers — this goes in REQUEST headers.
# Response may include WWW-Authenticate if auth is required.
access-control-allow-origin: https://yourdomain.com
# ↑ CORS: only this origin can read the response.
# "*" = any origin (but blocks credentials).
access-control-allow-credentials: true
# ↑ Required if sending cookies or Authorization headers cross-origin.
strict-transport-security: max-age=31536000; includeSubDomains; preload
# ↑ HSTS: force HTTPS for 1 year across all subdomains.
x-content-type-options: nosniff
# ↑ Tells browser not to sniff the MIME type — prevents type confusion attacks.
x-frame-options: DENY
# ↑ Blocks this page from loading in any iframe.
content-encoding: gzip
# ↑ Body is compressed. Browser decompresses automatically.
vary: Accept-Encoding, Origin
# ↑ Cache must store separate versions per encoding and origin.
etag: "33a64df551425fcc55e4d42a148795d9f25f89d"
# ↑ Content fingerprint for conditional requests (304 Not Modified).The table below summarizes the most important headers for day-to-day debugging:
| Header | Direction | What it controls | Missing = problem |
|---|---|---|---|
| Content-Type | Both | Body format (JSON, HTML, etc.) | Body misparse, 415 error |
| Cache-Control | Response | Caching rules for browser/CDN | Stale data served |
| Authorization | Request | Auth credentials (Bearer token) | 401 Unauthorized |
| Access-Control-Allow-Origin | Response | CORS permission for browser reads | CORS block in browser |