Question 1

Why is a WAF or server blocking my HTTP header request?

Accepted Answer

Many Web Application Firewalls such as Cloudflare block automated requests. Use the Spoof Identity dropdown to select Standard Browser (Chrome) — this sends realistic Sec-Fetch headers that allow the tool to fetch the real HTTP response headers past the firewall.

Question 2

What are HTTP security headers and why do they matter?

Accepted Answer

Security headers such as Content-Security-Policy and Strict-Transport-Security are server instructions that tell the browser how to handle the page's security. They protect against vulnerabilities like cross-site scripting, clickjacking, and protocol downgrade attacks.

Question 3

How do I export HTTP headers to share with my team?

Accepted Answer

After fetching the headers, click the Download JSON button. This exports the full multi-hop redirect chain and header list into a clean JSON file suitable for attaching to bug reports or tickets.

Question 4

How do I check if my website has HSTS enabled?

Accepted Answer

Enter your website URL and click Fetch Headers. Look for the Strict-Transport-Security header in the results. If it is present, HSTS is enabled. The tool highlights missing or misconfigured security headers so you can identify gaps at a glance.

Inspect HTTP Headers

Understanding HTTP Headers

WAF Bypass & Spoofing

Redirect Tracing

Common Questions

Why are security headers important?

Does this tool log my data?