Why do I see a CORS or fetch error?

Browsers enforce the Same-Origin Policy, so direct header fetches are blocked. This tool routes requests through a public CORS proxy (allorigins.win). Some sites block proxy requests, which will result in an error.

What is Content-Security-Policy (CSP)?

CSP tells browsers which sources are allowed to load scripts, styles, images, and other resources. A missing CSP header increases the risk of cross-site scripting (XSS) attacks.

HTTP Strict-Transport-Security forces browsers to connect only via HTTPS for a specified period, protecting against protocol downgrade attacks.

What does X-Frame-Options do?

It controls whether the page can be loaded in an iframe. Setting it to DENY or SAMEORIGIN prevents clickjacking attacks.

Network 免费无需注册

Network Header Checker

Inspect HTTP response headers and security header status

正在加载工具…

关于此工具

Enter any URL and see its HTTP response headers along with a security checklist. The tool highlights the presence or absence of critical security headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Because browsers block direct cross-origin requests, a public CORS proxy is used to fetch headers client-side. Use this tool to audit your own sites or explore how popular sites are configured.

使用方法

1 Enter the full URL (including https://) you want to check.
2 Click 'Check Headers'. The tool fetches the URL via a CORS proxy.
3 Review the raw headers returned and the security-header checklist below.
4 Green items are present; red items are missing and may need attention.

关于此工具

使用方法

常见问题