The HTTP header tool shows you the headers returned by a typical HTTP request to a web server.
In the text box, enter one of:
- A domain name, optionally preceded by “http://”.
- An IP address in standard form.
- An IP address as a single decimal number, with the “Convert Base-10 to IP” box checked.
By default, the tool will send an HTTP request. If you want to send a secure HTTPS (SSL or TLS) request, check the “SSL” box. Specifying “https://” in the text box has no effect.
Click the “HTTP Headers” radio button and then “Go.”
When to use it
This tool helps in diagnosing odd behavior in HTTP connections. It works only with a domain’s default page; the path to a specific page will be ignored if you enter it. It shows you if the request will be redirected, so it can help you to optimize your links.
What it does
The HTTP header tool sends an HTTP GET request to the specified domain. It receives back a response, or else it times out if there isn’t one. The response consists of an HTTP response code and other headers.
Standard headers are defined by the World Wide Web consortium. A response may also include custom headers, whose names typically start with “X-“. These are supposed to be just informational, and ignoring them shouldn’t keep anything from working.
At the top you’ll see
FollowRedirects=False; Server requested redirection
That’s not a header, but just a reminder that you’re getting the initial HTTP response without any redirection, even if the response asked to have the request redirected.
The status code
The output will have a line of the form “HTTP headers for [your.domain].” It’s followed by a line containing the HTTP version and status code. The status code is the most important piece of information. The full list of codes is long, but here are some of the common ones:
- 200 (OK). The request was successful and the response includes the requested content.
- 301 (moved permanently). The requested content is at another URL, specified in the Location header. Replacing a link with the new URL will improve performance a little and could avoid a broken link later on.
- 302 (found), 303 (see other), and 307 (temporary redirect). These all indicate, with subtle differences, that the content is at another URL, specified in the Location header, but that it’s not a permanent new location.
- 401 (unauthorized). HTTP authentication is required to access the content.
- 403 (forbidden). Access isn’t allowed. Other headers may explain the reason. Prohibitions often depend on the requesting IP address. A page may be forbidden to our tools but not to your computer, or vice versa.
- 404 (not found). This one is familiar to everyone. The other headers or the returned content may give more information.
- 405 (method not allowed). The URL doesn’t accept the specified HTTP method, which in our case is always GET. The Allow header will list the accepted methods. The most common case is that the URL requires the POST method, though that’s rare for a domain’s home page.
- 410 (gone). This is like 404, but with more finality. It tells you that not only is the content unavailable but that there’s no known forwarding address. If you have a link to that URL, you should delete it.
- 500 (internal server error). This usually means a coding bug on the server which made it impossible to continue.
- 503 (service unavailable). The URL is temporarily unavailable on the server.
The Content-Type header indicates the format of the data being returned. For example, an HTML page might have this:
Content-Type: text/html; charset=UTF-8
The Content-Encoding header says how the data is encoded. Data is often sent in a compressed format for efficiency. An example:
The Last-Modified header tells you when the content last changed. For static pages it will normally be the file’s modification date. For dynamically generated pages the way of computing the date may vary. It’s never supposed to give a future date. An example:
Last-Modified: Mon, 25 Sep 2017 03:52:00 GMT
The Set-Cookie header does just what it says. There can be more than one in a response. The simplest case looks like this:
That asks the browser to create a cookie named “mycookie”, with a value of “xyz”. It may have additional parameters indicating the expiration time, path, domain, and so on.
The Cache-Control header gives cache directives to the browser. If the content is never supposed to be cached, you might see
If it should be cached for no more than five minutes (300 seconds), the header would be
The Allow header tells you what HTTP methods are accepted. Example:
Allow: GET, HEAD, PUT
A deeper look
When you enter a URL in a browser, the server often redirects it one or more times and gives you the result of a different URL. It may also instruct the browser to use cached information. HTTP status codes in the 300s produce these results. The HTTP headers tool shows you the status code which the server sent back and the new destination, rather than doing the redirection.
If you enter just a domain name in a browser’s address bar, you’ll often be redirected to the www subdomain (example.com to www.example.com). With this tool, you’ll see the redirection response. It will usually have a 301 status code but could have something else in the 300 range.
You may get back a 301 redirection to the equivalent https URL (e.g., http://example.com to https://example.com). This helps people to get to a secure page, but it’s not something to count on. Change the link if you can.
The response to your own browser might be different for several reasons. The server may send different responses depending on the client IP address or the HTTP headers in the request. The server may use Accept, Accept-Language, User-Agent, and other headers to redirect you to a different page.
A rare but grimly amusing status code is 451, “Unavailable for legal reasons.” The code was named after Ray Bradbury’s novel about book-burning, Fahrenheit 451.