HTTP Headers
Response headers and redirect chain for a URL.
Response headers for https://westhost.com
| (status) | HTTP/1.1 301 Moved Permanently |
| Date | Tue, 09 Jun 2026 16:55:26 GMT | Tue, 09 Jun 2026 16:55:26 GMT |
| Content-Type | text/html | text/html; charset=utf-8 |
| Connection | close | close |
| Server | cloudflare | cloudflare |
| Nel | {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} | {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} |
| Location | https://www.westhost.com/ |
| Strict-Transport-Security | max-age=63072000; includeSubDomains | max-age=63072000; includeSubDomains |
| Cf-Cache-Status | DYNAMIC | DYNAMIC |
| Report-To | {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=aq2BBo7s9BoKAqtx62jWUJ9XXn6aR55V6HZ1s3wchHhLPBu5LtYk6EgN8s5mniQAy3HrMlPPoW3uTyTMa617aIY5Ll6HCpRdtRfu70DmSIoEBnZ1I1wiiu7GHoBmQOw%3D"}]} | {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=y3mVsorGZVWlX8vsx2SgpVdLO2sqjbd60s4BCjpnTvCwFpJB8JFsGvm8ikrA9lb2hpbM3Am5zIz8LhfJATFN%2BfreIe02DIiaKhClH0vMQmfIwR8iChSIoi49YK0pBSzxkiRz"}]} |
| CF-RAY | a091a9f77ab9e8ff-LHR | a091a9f89f13636d-LHR |
| alt-svc | h3=":443"; ma=86400 | h3=":443"; ma=86400 |
| (status) | HTTP/1.1 200 OK |
| Vary | Accept-Encoding | Accept-Encoding |
| X-Nextjs-Cache | HIT |
| Cache-Control | s-maxage=31536000 |
| X-Powered-By | Next.js |
| X-Frame-Options | SAMEORIGIN |
| X-Content-Type-Options | nosniff |
| Content-Security-Policy | script-src www.google.co.uk 'self' 'unsafe-inline' 'unsafe-eval' https://mw.thghosting.com request.eprotect.vantivprelive.com request.eprotect.vantivcnp.com *.dwin1.com *.addtoany.com *.bing.com http://static.hotjar.com https://static.hotjar.com https://script.hotjar.com *.pingdom.net *.trustpilot.com *.jquery.com ajax.googleapis.com platform.twitter.com *.adroll.com *.google.com *.facebook.net *.steelhousemedia.com *.qualtrics.com www.googleadservices.com *.uk2group.com maxcdn.bootstrapcdn.com privacy-policy.truste.com www.gstatic.com *.visualwebsiteoptimizer.com www.googletagmanager.com www.google-analytics.com app.yieldify.com *.westhost.com t.trackedlink.net d33wq5gej88ld6.cloudfront.net s.adroll.com tracking.websitealive.com *.hcaptcha.com https://www.googletagmanager.com https://analytics.tiktok.com/ https://static.cloudflareinsights.com/beacon.min.js/ https://app.termly.io; img-src data: 'self' https://support.thgingenuity.com img.zohostatic.eu match.adsrvr.org *.gstatic.com *.uk2group.com https://bat.bing.com https://bat.bing.net *.gravatar.com *.pingdom.net *.uk2.net p.adsymptotic.com s.w.org csi.gstatic.com cj.dotomi.com widget.trustpilot.com www.privacytrust.com insight.adsrvr.org *.adroll.com *.adnxs.com *.yahoo.com *.facebook.com *.doubleclick.net *.bidswitch.net *.rlcdn.com *.twitter.com *.openx.net googleads.g.doubleclick.net *.googleadservices.com cdsusa.veinteractive.com shareasale.com www.emjcd.com *.westhost.com *.midphase.com privacy-policy.truste.com secure.etrust.org 55b558c7-resources.bk-partnersasia.com ib.adnxs.com *.visualwebsiteoptimizer.com www.google-analytics.com stats.g.doubleclick.net www.google.co.uk www.google.com https://script.hotjar.com http://script.hotjar.com https://www.googletagmanager.com https://files.readme.io https://*.googleusercontent.com https://support.basekit.com https://cdnjs.cloudflare.com/ajax/libs/twemoji/ https://analytics.tiktok.com/ https://analytics-ipv6.tiktokw.us; style-src 'self' 'unsafe-inline' *.westhost.com *.google.com *.googleapis.com dwmvwp56lzq5t.cloudfront.net *.pingdom.net *.bootstrapcdn.com *.visualwebsiteoptimizer.com; frame-src 'self' *.hcaptcha.com *.westhost.com cdn.forms-content.sg-form.com www.google.co.uk www.google.com plus.google.com apis.google.com accounts.google.com platform.twitter.com staticxx.facebook.com www.facebook.com https://vars.hotjar.com widget.trustpilot.com https://www.googletagmanager.com https://app.termly.io; connect-src 'self' https://mw.thghosting.com *.hcaptcha.com *.google-analytics.com *.sentry.io livechat.uk2group.com *.pingdom.net http://*.hotjar.com:* https://*.hotjar.com:* https://vc.hotjar.io:* https://surveystats.hotjar.io wss://*.hotjar.com *.twitter.com dev.visualwebsiteoptimizer.com geo.yieldify.com *.westhost.com widget.trustpilot.com https://bat.bing.com https://bat.bing.net/action/ https://bat.bing.net/actionp/ https://www.google.com/ccm/ https://www.googletagmanager.com https://analytics.tiktok.com/ https://analytics-ipv6.tiktokw.us https://www.facebook.com/tr/ https://cdn.jsdelivr.net/npm/zxcvbn@4.4.2/dist/zxcvbn.js https://app.termly.io https://*.termly.io wss://adac.api.yoursrs.com; font-src data: 'self' http://script.hotjar.com https://script.hotjar.com *.westhost.com *.gstatic.com *.googleapis.com maxcdn.bootstrapcdn.com *.visualwebsiteoptimizer.com stats.g.doubleclick.net; default-src 'self' *.westhost.com; object-src 'self' *.westhost.com *.visualwebsiteoptimizer.com; child-src *.westhost.com *.uk2group.com *.hotjar.com *.twitter.com *.addtoany.com googleads.g.doubleclick.net platform.twitter.com apis.google.com www.facebook.com staticxx.facebook.com accounts.google.com afftrk.biz www.googleadservices.com tracking.opienetwork.com youtu.be www.youtube.com *.visualwebsiteoptimizer.com www.google.com; media-src data: 'self' *.westhost.com; frame-ancestors 'self'; manifest-src 'self' https://uk2group.cloudflareaccess.com; |
About HTTP Headers
This tool sends a HEAD request to a URL, follows up to five redirects, and returns every response header from every hop in the chain. You see what content type is served, how caching is configured, which cookies the site sets, what server software identifies itself, and any custom headers. The HEAD method avoids downloading the body, so even large responses return in milliseconds.
When to use it
Check headers when a browser shows an unexpected redirect, since the chain reveals exactly which URLs the server visits. Use it to verify a CDN is in front of your origin by looking for CF-Ray, X-Served-By, or X-Cache headers. Web developers use it to confirm cache headers like Cache-Control and ETag are configured correctly for static assets, which directly affects page load performance.
How to read the results
Status codes 200 through 299 are success, 301 and 308 are permanent redirects, 302 and 307 are temporary. Cache-Control directives like max-age=3600 set browser cache duration. Strict-Transport-Security indicates HSTS is active. Server and X-Powered-By headers often reveal the stack, though security-conscious sites strip them. Set-Cookie lines show session and tracking cookies with their flags.
Frequently asked questions
Why are some headers shown as arrays? ▾
When a server sends the same header name multiple times, get_headers returns them as an array of values. This happens most often with Set-Cookie, Link, and Vary headers, where multiple distinct values are valid in one response.
What does a 200 status mean if my page is broken? ▾
A 200 response only means the server returned a response successfully. The body may still contain an error page rendered by the application. To check the actual page content, fetch the body, not just the headers.
How is HEAD different from GET? ▾
HEAD requests return only the headers, no body. The server processes the request identically to GET but truncates the response. Some applications handle HEAD poorly and return 405 errors, in which case the result will show the error.
Why is the Server header missing? ▾
Modern web servers and reverse proxies often hide or rewrite Server headers as a security measure, since the version disclosed could reveal known vulnerabilities. Nginx, Apache, and Cloudflare all support stripping the header in their configurations.