Why do I see a CORS or fetch error?

Browsers enforce the Same-Origin Policy, so direct header fetches are blocked. This tool routes requests through a public CORS proxy (allorigins.win). Some sites block proxy requests, which will result in an error.

What is Content-Security-Policy (CSP)?

CSP tells browsers which sources are allowed to load scripts, styles, images, and other resources. A missing CSP header increases the risk of cross-site scripting (XSS) attacks.

HTTP Strict-Transport-Security forces browsers to connect only via HTTPS for a specified period, protecting against protocol downgrade attacks.

What does X-Frame-Options do?

It controls whether the page can be loaded in an iframe. Setting it to DENY or SAMEORIGIN prevents clickjacking attacks.

Network Gratis Sin registro

Network Header Checker

Inspect HTTP response headers and security header status

Cargando la herramienta…

Acerca de esta herramienta

Enter any URL and see its HTTP response headers along with a security checklist. The tool highlights the presence or absence of critical security headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Because browsers block direct cross-origin requests, a public CORS proxy is used to fetch headers client-side. Use this tool to audit your own sites or explore how popular sites are configured.

Cómo usar

1 Enter the full URL (including https://) you want to check.
2 Click 'Check Headers'. The tool fetches the URL via a CORS proxy.
3 Review the raw headers returned and the security-header checklist below.
4 Green items are present; red items are missing and may need attention.

Preguntas frecuentes

Herramientas relacionadas

Codificador / Decodificador de URL

Codifica o decodifica en porcentaje URLs y parámetros de consulta — modos completo y de componente.

Formateador y validador JSON

Formatea, valida y minifica JSON — con señalización exacta de errores de sintaxis.