Star Computers

HTTP Header Check

Fetch a URL and display the response headers, status, redirects, and timing. Highlights missing common security headers (HSTS, CSP, X-Frame-Options, etc.).

Networking Security

HTTP / HTTPS header check

Fetches any public URL through our Cloudflare Worker (so CORS and cert quirks don't block the lookup) and reports the full redirect chain, response headers, and a security-header review.

What this does

Sends a GET request to the URL you provide and prints every response header, sorted alphabetically, along with the status code, the full redirect chain, and round-trip time. It also flags common security headers that are missing — useful as a quick baseline check before doing a more thorough audit with securityheaders.com or Mozilla Observatory.

The fetch is performed by our Cloudflare Worker at api.starcomputers.in, not from your browser — so CORS restrictions, mixed-content blocks, and HTTP-only targets all work. Redirects are followed manually and shown hop-by-hop.

Safeguards

Because the Worker can fetch on behalf of any visitor, it applies several guardrails:

  • Turnstile human-check on every request (invisible unless you look like a bot).
  • Per-IP rate limit — 30 requests per minute.
  • SSRF protection — targets and redirect destinations resolving to private ranges (RFC1918, loopback, link-local, CGNAT, ULA, *.local, *.internal) are rejected.
  • Method allowlistGET and HEAD only.
  • Timeouts — 8 seconds per hop, max 5 redirects.

Security headers it looks for

HeaderWhy it matters
strict-transport-securityForces HTTPS on future visits.
content-security-policyLimits what sources the page can load resources from — the single biggest XSS mitigation.
x-frame-optionsBlocks the page from being framed (clickjacking defense).
x-content-type-optionsDisables MIME-sniffing.
referrer-policyControls how much of the referring URL leaks on outbound requests.
permissions-policyRestricts browser features (camera, mic, geolocation).
cross-origin-opener-policy / embedder-policy / resource-policyCross-origin isolation primitives.

Why a server-side proxy

Browsers can only read the body and headers of responses that allow the originating site via CORS. A pure client-side version of this tool would silently fail on any target that doesn’t send Access-Control-Allow-Origin — which is most of them. Routing through our Worker sidesteps CORS entirely while keeping the tool auditable (rate-limited, logged, and protected from being weaponised against internal networks).