Every HTTP response includes headers: metadata that tells the browser how to handle the response. Headers control caching behavior, enable security protections, specify content types, allow cross-origin requests, and much more. Knowing how to read and audit HTTP headers is an important skill for web developers and security engineers.
The Most Important Response Headers
Content-Type tells the browser what format the response body is in. For HTML pages, the correct value is text/html; charset=utf-8. For JSON APIs, it is application/json. Incorrect Content-Type headers can cause browsers to misinterpret content and enable attacks like MIME sniffing.
Cache-Control tells caches (browsers and CDNs) how long to cache the response and under what conditions. A value like max-age=86400 means the response can be cached for 24 hours. No-cache means the cache should revalidate before using the stored response. No-store means the response must never be cached.
Strict-Transport-Security (HSTS) tells browsers to only access the site over HTTPS for a specified duration. max-age=31536000; includeSubDomains is a common value meaning enforce HTTPS for one year on the domain and all subdomains.
X-Frame-Options prevents the page from being loaded in an iframe on another domain, protecting against clickjacking attacks. The value DENY blocks all framing; SAMEORIGIN allows framing only on the same origin.
Content-Security-Policy (CSP) is a detailed policy that specifies which sources are allowed to load scripts, styles, images, and other resources. A properly configured CSP dramatically limits the damage possible from XSS attacks.
X-Content-Type-Options with the value nosniff tells the browser not to try to guess the content type from the response body. It must match the Content-Type header exactly.
Set-Cookie headers set browser cookies and should include the Secure flag (only send the cookie over HTTPS), the HttpOnly flag (JavaScript cannot read the cookie), and the SameSite attribute (controls when the cookie is sent with cross-site requests).
Security Header Auditing
A quick way to assess a website's security posture is to check which security headers are present. A site that lacks HSTS, CSP, X-Frame-Options, and X-Content-Type-Options has not addressed the most basic browser-enforced security controls.
Using the DevHexLab HTTP Header Viewer
Open the tool at /tools/developer/http-header-viewer. Enter a URL. The tool fetches the headers and displays them in a readable, categorised format. Missing security headers are highlighted so you can see at a glance what needs to be added.
Frequently Asked Questions
Can I view headers for any URL?
The tool can fetch headers for publicly accessible URLs. Private APIs, localhost, and URLs behind a firewall are not reachable from the tool's server.
Where do I set response headers in my application?
In Express (Node.js), use res.setHeader or the helmet middleware. In Next.js, use the headers configuration in next.config.js. In nginx, use the add_header directive. In Apache, use the Header directive.
Audit your headers regularly. A few missing lines of configuration are the difference between a secure and an insecure application.