Live HTTP response audit
Fetch response headers from the PeopleAreGeek server side and turn the raw result into an admin report. The checker reviews status, response time, redirect hints, security headers, cache behavior, compression, content type, cookie flags and technology disclosure without hiding the exact headers you need for a ticket.
The live header endpoint samples the target with a server-side HEAD request and does not automatically follow redirects. The redirect tab asks the redirect checker for the path separately.
What an HTTP headers checker should tell you
Headers are where a web server describes the response before the browser renders the page. They reveal whether the status code is healthy, whether a redirect is being sent, whether compression is active, how caches should behave, which content type was returned and which browser security policies are advertised. A page can look perfectly normal while its response headers still contain weak policy, stale caching behavior or unnecessary server disclosure.
This audit is aimed at practical work. It keeps the raw header values visible, but it also translates them into decisions: what is present, what is missing, which issue matters now, and what should be tested carefully before it is changed on a live WordPress, proxy or CDN setup.
Headers worth reading first
- Status and Location explain whether you received content or a redirect response.
- Content-Type confirms whether the sampled resource is HTML, JSON, an image, a file or something unexpected.
- Cache-Control, ETag, Last-Modified and Vary explain caching behavior.
- Content-Encoding shows whether compression was advertised on this sampled response.
- Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy and frame policy headers help harden browser behavior.
Security headers need context
A missing header is not always a one-click fix. HSTS should be enabled only when HTTPS is stable for the host and required subdomains. A Content Security Policy is powerful, but a rushed policy can break forms, scripts, ads, analytics, embeds or admin flows. A frame policy can live in CSP frame-ancestors, in X-Frame-Options, or both for compatibility. Read the report, test in staging where possible, and retest through your CDN after deployment.
Headers, performance and SEO
Search engines do not rank a page because it has an elegant header table. They do care whether pages answer reliably, redirect consistently, stay on HTTPS, serve the expected content and avoid technical friction for users and crawlers. A clean header baseline supports that foundation. It should sit beside useful content, internal links, sitemap coverage and indexability checks rather than replace them.
Common questions
Why does the checker show a redirect instead of the final page headers?
The header endpoint samples the URL exactly as requested. If that URL redirects, the redirect response is the result. Check the redirect path, then test the final destination too.
Is a server header always a vulnerability?
No. A generic server value is common. Detailed technology disclosure is still worth reducing when it gives attackers unnecessary version or stack clues.
Does missing compression here mean the whole site is uncompressed?
No. Compression can vary by resource type, CDN, request method and response size. Treat the sampled result as a clue and retest the exact content path that matters.
Which security headers should every site send?
Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options set to nosniff, Referrer-Policy, and frame protection via X-Frame-Options or CSP frame-ancestors.
What does the Cache-Control header do?
It tells browsers and CDNs how long a response may be cached and whether it can be stored, controlling freshness and when the resource is revalidated.
Why do server-side header checks differ from my browser?
A CDN, reverse proxy or the browser cache can add or strip headers. This tool reads the server response directly, which reflects what the origin actually sends.
