Every HTTP response includes headers that most developers never look at. These headers reveal the server technology, caching strategy, security posture, CDN configuration, and sometimes even internal infrastructure details that the site owner probably did not intend to expose.
Learning to read HTTP headers is one of the most useful debugging and analysis skills in web development.
Security headers you should check
Strict-Transport-Security (HSTS): Forces browsers to use HTTPS. Without it, the first request to your domain might be HTTP, vulnerable to man-in-the-middle attack before the redirect.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy (CSP): Controls which resources the browser can load. A strong CSP prevents most XSS attacks by restricting script sources.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'
X-Content-Type-Options: Prevents MIME type sniffing. Without it, a browser might interpret a text file as JavaScript.
X-Content-Type-Options: nosniff
X-Frame-Options: Prevents clickjacking by controlling whether the page can be embedded in iframes.
X-Frame-Options: DENY
If a site is missing these headers, it has security gaps. You can check your own site's headers to verify your security configuration is actually reaching the browser.
Caching headers that affect performance
Cache-Control: The primary caching directive. This single header controls browser caching, CDN caching, and proxy caching behavior.
Cache-Control: public, max-age=31536000, immutable
public means any cache can store it. max-age=31536000 caches for one year. immutable tells the browser not to revalidate even when the user refreshes.
For API responses:
Cache-Control: no-store
no-store means never cache this response. Different from no-cache, which means "cache it but revalidate before using."
ETag and Last-Modified: Enable conditional requests. The browser sends If-None-Match (for ETags) or If-Modified-Since (for timestamps) and the server responds with 304 Not Modified if the content has not changed, saving bandwidth.
Debugging headers
Server: Reveals the web server software. Server: nginx/1.24.0 tells you the exact version. Security best practice is to minimize this (Server: nginx) or remove it entirely to avoid giving attackers version-specific vulnerability information.
X-Powered-By: Often reveals the application framework. X-Powered-By: Express or X-Powered-By: PHP/8.2.0. Remove this in production.
X-Request-Id: A unique identifier for each request, useful for tracing a specific request through logs across multiple services.
Via: Shows proxy and CDN hops. Via: 1.1 cloudfront.net (CloudFront) tells you the response came through AWS CloudFront.
CF-Ray: Cloudflare's request identifier. Its presence tells you the site uses Cloudflare.
CDN and infrastructure detection
HTTP headers often reveal the CDN and hosting stack:
-
CF-Ray,CF-Cache-Status: Cloudflare -
X-Amz-Cf-Id: AWS CloudFront -
X-Served-Bywith Fastly hostnames: Fastly -
X-Vercel-Id: Vercel -
X-Powered-By: Next.js: Next.js on Vercel -
X-GitHub-Request-Id: GitHub Pages -
X-Netlify-*: Netlify
CF-Cache-Status: HIT means Cloudflare served the response from cache without hitting your origin server. MISS means it fetched from origin. DYNAMIC means Cloudflare did not attempt to cache it. This is invaluable for debugging caching behavior.
CORS headers
When your frontend fetches from a different origin and gets a CORS error, the response headers (or lack thereof) tell you what is wrong:
Access-Control-Allow-Origin: https://mysite.com
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
If Access-Control-Allow-Origin is missing or does not match your origin, the browser blocks the response. The preflight OPTIONS request must include these headers for non-simple requests.
I built an HTTP header analyzer at zovo.one/free-tools/http-header-analyzer that fetches any URL's response headers and explains what each one means, flags security issues, and identifies the CDN and server technology. Enter a URL and get a complete breakdown of its header configuration, with recommendations for missing security headers.
I'm Michael Lip. I build free developer tools at zovo.one. 500+ tools, all private, all free.
Top comments (0)