HTTP Headers Analyzer
Paste raw response headers — grade HSTS, X-Robots-Tag, CSP, cache-control, and 5 more for SEO and security.
How to use this tool3 quick steps
Get the headers from your site
Runcurl -sI https://yoursite.comin a terminal — the-Iflag returns just the headers. Or open DevTools → Network → click any request → Headers tab.Copy the response headers
Copy everything from "HTTP/" or the first header line down to the last header — leave out the body.Paste below and review the grade
We check 9 standard SEO + security headers (HSTS, CSP, X-Robots-Tag, cache-control, etc.) and grade A–F.
Use this with
Related meta tags & social tools
SEO & Security Header Reference Guide
Why HTTP response headers matter for rankings and site security
HTTP response headers are server-sent metadata that travel with every page response — controlling how browsers, CDNs, and search crawlers interpret and cache your content. They are defined in a series of IETF RFCs (Request for Comments) including RFC 7230–7235 for HTTP/1.1 and updated in RFC 9110–9114 for HTTP/2 and HTTP/3. Many SEO issues, especially accidental de-indexing, originate in misconfigured headers rather than HTML. A single X-Robots-Tag: noindex set by a staging environment deploy can silently remove a page from Google's index within 24–72 hours — often before anyone notices in Search Console.
How to retrieve response headers
Terminal (macOS/Linux/Windows WSL): `curl -sI https://yoursite.com` — the -I flag sends an HTTP HEAD request that returns only headers, not the body. Windows PowerShell: `Invoke-WebRequest -Uri https://yoursite.com -Method Head | Select-Object -ExpandProperty Headers`. Browser: DevTools (F12) → Network tab → click the first document request → Response Headers panel. Online tools: httpstatus.io and headers.cloxy.net show headers for any public URL without terminal access. Always use the actual live URL, not localhost, to see production header configuration.
X-Robots-Tag: HTTP-level indexing control
Defined in Google's robots meta tag specification (not an IETF standard), X-Robots-Tag controls indexing at the HTTP level rather than in HTML — making it applicable to all file types: PDFs, images, JavaScript bundles, RSS feeds, and HTML alike. Common values: `noindex` (remove from index), `nofollow` (do not follow links), `noarchive` (no cached copy), `noimageindex` (do not index images on page). An accidental `noindex` from a staging environment variable pushed to production is one of the most common causes of sudden, unexplained ranking drops. Google processes X-Robots-Tag before parsing HTML — it acts faster than meta robots.
Cache-Control: TTFB, CWV, and crawl efficiency
Cache-Control is defined in RFC 7234 (HTTP/1.1) and RFC 9111 (HTTP/2+). It directly affects Time To First Byte (TTFB), which feeds into Largest Contentful Paint (LCP) — a Core Web Vitals metric. Google's CrUX (Chrome User Experience Report) data shows TTFB above 800ms correlates with below-average LCP scores. Recommended directives: static assets use `public, max-age=31536000, immutable` (1 year + immutable); HTML pages use `no-cache` (revalidate on each request without full re-download); API responses use `private, no-store`. The `immutable` directive (RFC 8246) prevents conditional requests on cached responses, saving one round-trip per repeat visit.
HSTS: RFC 6797 and browser-level HTTPS enforcement
HTTP Strict Transport Security (HSTS) is defined in RFC 6797 (2012). It instructs browsers to refuse plaintext HTTP connections to your domain for the duration specified in `max-age` (in seconds). Google announced HTTPS as a ranking signal on August 6, 2014 in a Webmaster Central blog post — a small but confirmed boost. Without HSTS, browsers allow an initial HTTP connection on each new session before the 301 redirect occurs — creating a window for SSL-stripping attacks (MITM). Minimum recommended value: `Strict-Transport-Security: max-age=31536000; includeSubDomains` (1 year). Adding `preload` submits your domain to browsers' built-in HSTS preload list (managed at hstspreload.org), making the protection instantaneous even on first visits.
Content-Security-Policy: W3C Level 3 XSS defense
Content-Security-Policy (CSP) is a W3C specification (Level 3, 2023) that implements a whitelist of allowed resource origins, preventing cross-site scripting (XSS) — ranked #3 on the OWASP Top 10 2021 (A03:2021 – Injection). A restrictive CSP prevents malicious scripts from loading even if an attacker injects them via a database compromise or third-party dependency. Example minimal policy: `Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-RANDOM'; style-src 'self' 'unsafe-inline'`. Sites with strong CSP headers have been shown to recover faster from compromise events because the attack surface is pre-restricted. CSP Level 3 adds `'strict-dynamic'` which trusts scripts loaded by trusted scripts, enabling nonce-based policies at scale.
X-Content-Type-Options, X-Frame-Options, and Referrer-Policy
`X-Content-Type-Options: nosniff` — introduced in Internet Explorer 8 (2008) and now a MIME sniffing standard — prevents browsers from guessing file MIME types, closing a class of content injection attacks. `X-Frame-Options: DENY` (RFC 7034) prevents your pages from being embedded in iframes on other domains, blocking clickjacking attacks where users are tricked into clicking invisible overlaid elements. `Referrer-Policy: strict-origin-when-cross-origin` controls how much referrer information is sent with cross-origin requests — balancing analytics data with user privacy. Together these three headers take under 5 minutes to implement and raise your securityheaders.com grade from D to B in most cases.
Pro Tips
After configuring your headers, check securityheaders.com (run by security researcher Scott Helme). An A or A+ score requires: HSTS (min max-age=86400), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options or CSP frame-ancestors, Referrer-Policy, and Permissions-Policy. A+ additionally requires HSTS with the preload flag. Sites with A+ scores have a demonstrably lower risk of XSS compromise — which Google factors into E-E-A-T trust assessments. The check is free and instant for any public URL.
Headers can differ between page types based on CDN rules, server config blocks, or CMS plugins that apply settings to specific URL patterns. The homepage is almost always the best-configured URL. Verify headers on: your highest-traffic landing pages, category/archive pages (often have different cache rules), checkout or account pages (must have strict no-store), and API endpoints (must have correct CORS and no-cache headers). A misconfigured header on a category page can de-index dozens of URLs in a single crawl cycle.
Server configuration changes, CDN rule updates, Next.js version upgrades, and WAF policy changes can all silently alter response headers. Add a post-deploy header assertion step using curl: `curl -sI https://yoursite.com | grep -i "x-robots-tag"` — if it returns noindex, your deploy pipeline should fail and alert. Tools like Checkly, Uptime Robot, and GitHub Actions can run this assertion on every deploy. Many SEO catastrophes that "appeared from nowhere" trace back to a header changed in a deployment weeks earlier.
Frequently Asked Questions
- Can an HTTP header cause a page to disappear from Google?
- Yes — `X-Robots-Tag: noindex` will remove the page from Google's index during the next crawl, typically within 24–72 hours. This is silent: Search Console shows the URL as "Excluded" under "Crawled – currently not indexed" without an obvious alert. Other header misconfigurations that affect indexing: incorrect `Cache-Control: no-store` on public pages can prevent caching and slow Googlebot, HTTPS certificate errors block crawling entirely, and missing `Content-Type: text/html` headers may cause Googlebot to skip HTML parsing. Check X-Robots-Tag first whenever debugging unexplained ranking drops.
- What is the most important HTTP header for SEO?
- X-Robots-Tag is the most SEO-critical header because it directly and immediately controls indexability for all file types — a mistake here has the fastest negative impact. After that, Cache-Control affects TTFB and LCP (both Core Web Vitals inputs). HSTS enforces HTTPS, which Google has used as a ranking signal since August 2014. Content-Security-Policy matters for preventing compromises that trigger manual spam actions. In practice, a correct Content-Type header is also critical — responses without it may not be parsed correctly by Googlebot.
- How do I check headers without using the terminal?
- Browser DevTools: Open Chrome/Firefox, press F12, go to the Network tab, reload the page, click the first request in the list (usually the HTML document), then click the Headers tab → Response Headers section. Copy all visible headers and paste them here. Online alternatives: httpstatus.io (shows status code + all headers), reqbin.com (full HTTP request/response viewer), and securityheaders.com (graded security header report). For pages behind authentication or on staging servers, the curl command is more reliable: `curl -sI -H "Cookie: session=YOUR_COOKIE" https://yoursite.com`.
- What is the difference between X-Robots-Tag and meta robots?
- Both control indexing, but at different levels. The HTML `<meta name="robots" content="noindex">` tag lives in the document's `<head>` and only applies to HTML pages — Googlebot must download and parse the HTML to read it. X-Robots-Tag is an HTTP response header that applies to all file types before any content is parsed. If both are present and conflict, the more restrictive directive wins. X-Robots-Tag is also the only way to set noindex on non-HTML files (PDFs, images, CSV downloads). For HTML pages, either method works — but X-Robots-Tag takes effect earlier in Googlebot's processing pipeline.