HTTP headers

HTTP /api/v1/http/headers

Capture every response header, follow redirects, time each hop.

Try: https://host.com https://checkhost.com https://hostinfo.com https://crypt.tools

Related: DNS lookup (dig) DNS propagation Domain WHOIS SSL certificate inspector HTTP headers Security headers grader MX lookup SPF tester DMARC tester

https://github.com 200 1 hop 118 ms

Final response headers (17)

date	Sat, 09 May 2026 05:00:27 GMT
content-type	text/html; charset=utf-8
vary	X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept-Language, Sec-Fetch-Site,Accept-Encoding, Accept, X-Requested-With
content-language	en-US
etag	W/"3ec06c5fc9d0e2c6bede60a1859486a6"
cache-control	max-age=0, private, must-revalidate
strict-transport-security	max-age=31536000; includeSubdomains; preload
x-frame-options	deny
x-content-type-options	nosniff
x-xss-protection	0
referrer-policy	origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy	default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com .rel.tunnels.api.visualstudio.com wss://.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com .actions.githubusercontent.com wss://.actions.githubusercontent.com productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net productionresultssa4.blob.core.windows.net productionresultssa5.blob.core.windows.net productionresultssa6.blob.core.windows.net productionresultssa7.blob.core.windows.net productionresultssa8.blob.core.windows.net productionresultssa9.blob.core.windows.net productionresultssa10.blob.core.windows.net productionresultssa11.blob.core.windows.net productionresultssa12.blob.core.windows.net productionresultssa13.blob.core.windows.net productionresultssa14.blob.core.windows.net productionresultssa15.blob.core.windows.net productionresultssa16.blob.core.windows.net productionresultssa17.blob.core.windows.net productionresultssa18.blob.core.windows.net productionresultssa19.blob.core.windows.net github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com edge.fullstory.com rs.fullstory.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com www.youtube-nocookie.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com user-images.githubusercontent.com private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com images.ctfassets.net/8aevphvgewt8/; manifest-src 'self'; media-src github.com user-images.githubusercontent.com secured-user-images.githubusercontent.com private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com assets.ctfassets.net/8aevphvgewt8/ videos.ctfassets.net/8aevphvgewt8/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server	github.com
content-encoding	gzip
accept-ranges	bytes
set-cookie	_gh_sess=pI2grQM6NXeJuxBW%2BZOfhLplCqglttImIPy507a%2BQKNfR8OoFPAezVBt6zRIoLv%2FpTqa6bOLQFfmn5oQVzKSYxSLyusiZhakJdE5BC74RM%2BUbkjU%2BvP4l9dUzYwbz%2FKNlXf33NUGLuRDM9HBpUj79rFx2qAHgqeLXb5Y9ciSsrXhkK%2FtOfjZu0meyTbdsJpXcJW0w5sQsdxclpCyT3H5k1vfmzJMf57OVF%2Bs0qn1%2BIu6G42B41%2F%2FMmFbj8yU4i%2B0ITMrLn%2BQsZWlwtUtF%2BnfHg%3D%3D--71z5%2FSCt95talVac--r%2FEujFklHkKX6OwroIVRcA%3D%3D; path=/; HttpOnly; secure; SameSite=Lax, _octo=GH1.1.720820615.1778302833; expires=Sun, 09 May 2027 05:00:33 GMT; domain=.github.com; path=/; secure; SameSite=Lax, logged_in=no; expires=Sun, 09 May 2027 05:00:33 GMT; domain=.github.com; path=/; HttpOnly; secure; SameSite=Lax
x-github-request-id	D1AA:29F185:511EC10:3FBF96A:69FEBF71

How to use HTTP headers

1

Paste your input

Enter the value at the top — domain, IP, URL, email, ASN, hash, whatever fits this tool. The smart input auto-detects type.
2

Click "Inspect"

host.tools issues real probes (DNS, HTTP, TCP, TLS, WHOIS where applicable) and renders the result in milliseconds.
3

Open the API tab

Every web tool has a sibling /api/v1/http/headers JSON endpoint with the same payload. One copy-as-curl click and you're scripting it.

Why this matters

Headers are how the modern web declares its security posture. Auditing them is the highest-ROI thing you can do this week.

API equivalent

/api/v1/http/headers?q=github.com

curl -s '/api/v1/http/headers?q=github.com'

Embed this tool

<iframe src="/http/headers?q={INPUT}&embed=1"
  width="100%" height="600" frameborder="0"></iframe>

Drop into any HTML page. The embed=1 flag hides nav and footer.

FAQ · HTTP headers

Common questions

Is HTTP headers free?

Yes — every tool is free on the web with a 200/hour rate limit per IP. The matching API endpoint /api/v1/http/headers is free up to 100 requests/hour, no key required.

Where does the data come from?

Real-time probes against authoritative sources (DNS root, RIRs, registries, the target server itself), plus partner data feeds from hostinfo.com (GeoIP/ASN) and hostcheck.com (reputation).

How fresh are the results?

Live by default. Cached for 5 minutes to make repeat queries instant; pass ?nocache=1 for a forced refresh.

Can I run this from the command line?

Yes — every tool ships with a copy-as-curl. There's also an official CLI: host.tools http headers YOUR_INPUT.

Can I monitor results over time?

Pro tier lets you schedule any tool to run every 1/5/15/60 min and alert on diff. See monitors.

host.tools Pro

Run HTTP headers on a schedule. Get pinged when it changes.

Pro gets you bulk lookups, monitors, webhook alerts, history, exports and 10,000 API calls/day. $19/mo.

See pricing Tour monitors

✓Schedule any tool — every 1, 5, 15, 60 min
✓Diff against last run, alert on change
✓Webhook + email + Slack + PagerDuty + OpsGenie
✓Bulk CSV upload, 1,000 inputs per job
✓Export results as CSV / NDJSON / Excel
✓90-day history, comparison view