HTTP Headers Checker

Why HTTP headers matter

HTTP response headers travel back from the server with every page request. They control browser behaviour — caching, security boundaries, content type, encoding — and they're invisible to most site owners unless they go looking. The wrong headers can leak data, slow a site, or expose it to attack.

The six security headers every modern site should set

• Strict-Transport-Security (HSTS) — tells browsers "only ever talk to me over HTTPS". Set a long max-age (e.g. max-age=31536000).
• Content-Security-Policy (CSP) — the strongest XSS defence available. Define what scripts/styles can load.
• X-Content-Type-Options: nosniff — stops MIME-type confusion attacks.
• X-Frame-Options: SAMEORIGIN — your site can't be embedded in someone else's iframe (clickjacking).
• Referrer-Policy: strict-origin-when-cross-origin — sensible default, less data leak via Referer header.
• Permissions-Policy — explicitly disable features your site doesn't use (camera, mic, geolocation, etc.).

Caching headers — affect performance and SEO

• Cache-Control — tells browsers and CDNs how long to cache the response.
• ETag / Last-Modified — let browsers do efficient revalidation.
• Vary — declare what request features change the response (User-Agent, Cookie, etc.).

Hostiko's own pages set all six security headers via includes/config.php — verify by checking hostiko.co.ke with this tool.