HTTP Header Analyzer

What HTTP headers are and why they affect SEO and security

Every HTTP response includes a set of headers before the page content arrives. They tell the browser (and crawlers) how to handle caching, whether connections must be encrypted, which scripts may run, and whether the page can be embedded in a frame. Most developers set them once and forget them — they're invisible to users but fully visible to crawlers and security scanners.

The headers most relevant to SEO are X-Robots-Tag (the HTTP equivalent of the robots meta tag, useful for PDFs and non-HTML files), Cache-Control (correct caching speeds pages up, feeding Core Web Vitals), and the Location header on redirects. The key security headers are Strict-Transport-Security (HSTS), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

Build a policy with the CSP Header Builder, and run the whole page through the SEO Analyzer to see security headers graded alongside meta tags, headings, and Core Web Vitals in one report.

How to use this tool

1. Enter the full URL you want to inspect (include https://).
2. The tool fetches the headers via a proxy and displays every response header with its value.
3. Review the security-header grades — each gets a pass, warning, or fail.
4. For any missing header, see the recommended value and add it in your server config, Cloudflare, or framework middleware.

How to fix common header issues

• Missing HSTS. Add Strict-Transport-Security: max-age=31536000; includeSubDomains. On Cloudflare it's a one-click toggle under SSL/TLS.
• Missing X-Frame-Options. Add X-Frame-Options: SAMEORIGIN (or DENY), or the modern Content-Security-Policy: frame-ancestors 'self'.
• Missing X-Content-Type-Options. Add X-Content-Type-Options: nosniff — a one-liner with zero downside.
• No CSP. The hardest to get right — start with Content-Security-Policy-Report-Only to audit violations before enforcing.

Frequently asked questions

Do HTTP security headers affect Google rankings?

Not directly as a ranking signal — but HTTPS (enforced by HSTS) is a confirmed ranking factor. Beyond that, security headers affect user trust, browser warnings, and vulnerability to attacks that could inject spam or get your site flagged by Safe Browsing, which causes significant ranking drops. So the effect is real but indirect.

What is HSTS and why does it matter?

HTTP Strict Transport Security tells browsers to always use HTTPS for your domain, even if someone types http:// or clicks an HTTP link, preventing downgrade attacks. The max-age directive (typically 31536000 = one year) controls how long the browser remembers the rule.

What is a Content Security Policy (CSP)?

A CSP header tells the browser which sources may load scripts, styles, images, and other resources — the primary defense against cross-site scripting (XSS). Building one means listing every legitimate source your page loads from; the CSP Header Builder helps generate it.

Why does this tool use a proxy to fetch headers?

Browser security (CORS) prevents JavaScript from reading response headers from another domain directly. The proxy fetches the URL server-side, where CORS doesn't apply, then returns the headers. Your URL isn't stored — the proxy is purely a passthrough.

How do I add security headers on Cloudflare Pages?

Add them in a _headers file in your project's public root. Each header goes on its own line under the URL pattern it applies to — for example "/*" followed by "Strict-Transport-Security: max-age=31536000; includeSubDomains" applies HSTS to every page. Cloudflare Pages deploys _headers automatically.