Why do I see a CORS or fetch error?

Browsers enforce the Same-Origin Policy, so direct header fetches are blocked. This tool routes requests through a public CORS proxy (allorigins.win). Some sites block proxy requests, which will result in an error.

What is Content-Security-Policy (CSP)?

CSP tells browsers which sources are allowed to load scripts, styles, images, and other resources. A missing CSP header increases the risk of cross-site scripting (XSS) attacks.

HTTP Strict-Transport-Security forces browsers to connect only via HTTPS for a specified period, protecting against protocol downgrade attacks.

What does X-Frame-Options do?

It controls whether the page can be loaded in an iframe. Setting it to DENY or SAMEORIGIN prevents clickjacking attacks.

Network Free No signup

Network Header Checker

Inspect HTTP response headers and security header status

Loading tool…

About this tool

Enter any URL and see its HTTP response headers along with a security checklist. The tool highlights the presence or absence of critical security headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Because browsers block direct cross-origin requests, a public CORS proxy is used to fetch headers client-side. Use this tool to audit your own sites or explore how popular sites are configured.

How to use

1 Enter the full URL (including https://) you want to check.
2 Click 'Check Headers'. The tool fetches the URL via a CORS proxy.
3 Review the raw headers returned and the security-header checklist below.
4 Green items are present; red items are missing and may need attention.

Frequently Asked Questions

Related tools

URL Encoder / Decoder

Percent-encode or decode URLs and query parameters — full and component modes.

JSON Formatter & Validator

Format, validate, and minify JSON — with syntax error pinpointing.