Skip to main content

How to Read HTTP Response Headers (Security & Caching)

Every time a browser loads a page, the server sends back a set of HTTP response headers that control caching, security, and how the content is handled. This guide explains the headers that matter most and how to inspect them.

4 जुलाई 2026

What HTTP response headers are

Response headers are metadata a server sends alongside the content — they never appear on the page but tell the browser how to treat it. They set the content type, control caching, enforce security policies, and carry cookies and CORS rules.

You can see them with an HTTP header checker: enter a URL and it makes a live request and lists the status code and every header returned, the same information curl -I or a browser's network panel would show.

Security headers that matter

Strict-Transport-Security (HSTS) forces HTTPS; Content-Security-Policy (CSP) limits which scripts and resources can load, mitigating XSS; X-Content-Type-Options: nosniff stops MIME sniffing; and X-Frame-Options / frame-ancestors prevent clickjacking.

Missing security headers are one of the most common and easily fixed weaknesses. Checking them on a live URL tells you at a glance which policies your server is — and is not — sending.

Caching and content headers

Cache-Control and ETag decide how long browsers and CDNs store a response and when they revalidate it. Getting these right is one of the biggest wins for page speed and Core Web Vitals.

Content-Type tells the browser how to interpret the body, and Content-Encoding (gzip/br) indicates compression. After a deploy, checking these headers confirms your caching and compression rules actually took effect.

Tools mentioned in this guide

अक्सर पूछे जाने वाले प्रश्न

How do I see the HTTP headers a website sends?
Use an HTTP header checker: paste the URL and it performs a live request and lists the status code and all response headers. You can also open your browser's DevTools Network tab and inspect a request.
Which security headers should every site have?
At minimum: Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options (or CSP frame-ancestors). These defend against protocol downgrade, XSS, MIME sniffing, and clickjacking.