HTTP headers

HTTP /api/v1/http/headers

Capture every response header, follow redirects, time each hop.

Try: https://host.com https://checkhost.com https://hostinfo.com https://crypt.tools

Related: HTTP headers Security headers grader Redirect chain tracer SSL certificate inspector robots.txt parser sitemap.xml inspector

https://www.widn.ai/sitemap.xml 200 1 hop 127 ms

Final response headers (25)

date	Sat, 09 May 2026 20:56:33 GMT
content-type	text/xml
content-security-policy	default-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' https://cdn.equalweb.com https://.mouseflow.com https://enhanci-widgets.s3.eu-west-2.amazonaws.com https://.hs-scripts.com https://.hs-banner.com https://.hscollectedforms.net https://.hs-analytics.net https://.googletagmanager.com https://.google.com https://.gstatic.com https://.zdassets.com https://.hsforms.net https://.jsdelivr.net https://.cookieyes.com https://.mxpnl.com https://.bablic.com https://.s3.amazonaws.com https://cdn-cookieyes.com https://.cdn-cookieyes.com ; style-src 'unsafe-inline' 'self' https://enhanci-widgets.s3.eu-west-2.amazonaws.com https://fonts.googleapis.com ; object-src 'none'; base-uri 'self'; connect-src 'self' https://cdn.equalweb.com https://.mixpanel.com https://.hsforms.com https://enhanci-widgets.s3.eu-west-2.amazonaws.com https://cognito-idp.us-east-1.amazonaws.com https://.google.com https://.google-analytics.com https://.analytics.google.com https://.enhanci.com https://.widn.ai https://.bablic.com https://.cookieyes.com https://cdn-cookieyes.com https://.cdn-cookieyes.com https://.mouseflow.com https://.zdassets.com https://.zendesk.com https://.hscollectedforms.net ; font-src 'self' https://.s3.amazonaws.com https://.scalar.com https://fonts.gstatic.com ; frame-src 'self' https://.mouseflow.com https://.hsforms.com https://.google.com ; img-src 'self' https://.mouseflow.com https://cdn-cookieyes.com https://.cookieyes.com https://.hsforms.com https://*.hubspot.com data: ; manifest-src 'self'; media-src 'self'; worker-src 'none';
last-modified	Tue, 17 Mar 2026 10:00:42 GMT
server	cloudflare
x-amz-server-side-encryption	AES256
cache-control	public,max-age=31536000,immutable
content-encoding	br
etag	W/"d9d77a3dc611b5c6eb05c28391148ed8"
vary	Accept-Encoding
x-cache	Hit from cloudfront
via	1.1 ec87b0eaae98600539e64627bd582e82.cloudfront.net (CloudFront)
x-amz-cf-pop	AMS58-P5
x-amz-cf-id	3jLyEDvsd6rqMafldEqo3tSxZo0WpFaBEqulS-h-ICQcnboQYQ5iew==
age	7538
cf-cache-status	DYNAMIC
strict-transport-security	max-age=31536000; includeSubDomains
x-content-type-options	nosniff, nosniff
report-to	{"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=8ATUrEZveIfIx%2FclSe23vil1Dmyramih6%2BvhSFFuNH5peA4znbr9tdV8NYEYoKOIQ4EKrXWBqE8Ct5UN%2B8PNIxJw5FXvbKwBFT7B5NU%2Fj%2FWvjkgFLqv8wG7RlHVvaw%3D%3D"}]}
nel	{"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
permissions-policy	accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), clipboard-read=(), clipboard-write=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
referrer-policy	no-referrer
x-frame-options	SAMEORIGIN
cf-ray	9f939c8baa700e50-AMS
alt-svc	h3=":443"; ma=86400

Tech stack

CloudflareHTTP/3 (QUIC)

How to use HTTP headers

1

Paste your input

Enter the value at the top — domain, IP, URL, email, ASN, hash, whatever fits this tool. The smart input auto-detects type.
2

Click "Inspect"

host.tools issues real probes (DNS, HTTP, TCP, TLS, WHOIS where applicable) and renders the result in milliseconds.
3

Open the API tab

Every web tool has a sibling /api/v1/http/headers JSON endpoint with the same payload. One copy-as-curl click and you're scripting it.

Why this matters

Headers are how the modern web declares its security posture. Auditing them is the highest-ROI thing you can do this week.

API equivalent

/api/v1/http/headers?q=https%3A%2F%2Fwww.widn.ai%2Fsitemap.xml

curl -s '/api/v1/http/headers?q=https%3A%2F%2Fwww.widn.ai%2Fsitemap.xml'

Embed this tool

<iframe src="/http/headers?q={INPUT}&embed=1"
  width="100%" height="600" frameborder="0"></iframe>

Drop into any HTML page. The embed=1 flag hides nav and footer.

FAQ · HTTP headers

Common questions

Is HTTP headers free?

Yes — every tool is free on the web with a 200/hour rate limit per IP. The matching API endpoint /api/v1/http/headers is free up to 100 requests/hour, no key required.

Where does the data come from?

Real-time probes against authoritative sources (DNS root, RIRs, registries, the target server itself), plus partner data feeds from hostinfo.com (GeoIP/ASN) and hostcheck.com (reputation).

How fresh are the results?

Live by default. Cached for 5 minutes to make repeat queries instant; pass ?nocache=1 for a forced refresh.

Can I run this from the command line?

Yes — every tool ships with a copy-as-curl. There's also an official CLI: host.tools http headers YOUR_INPUT.

Can I monitor results over time?

Pro tier lets you schedule any tool to run every 1/5/15/60 min and alert on diff. See monitors.

host.tools Pro

Run HTTP headers on a schedule. Get pinged when it changes.

Pro gets you bulk lookups, monitors, webhook alerts, history, exports and 10,000 API calls/day. $19/mo.

See pricing Tour monitors

✓Schedule any tool — every 1, 5, 15, 60 min
✓Diff against last run, alert on change
✓Webhook + email + Slack + PagerDuty + OpsGenie
✓Bulk CSV upload, 1,000 inputs per job
✓Export results as CSV / NDJSON / Excel
✓90-day history, comparison view