Analyzing Server Response Headers: What They Reveal About a Website

HTTP headers are metadata that the server sends along with the response. They control caching, security, authentication, compression, and many other aspects of how a website operates. The ability to read and analyze headers is an essential skill for web developers, SEO specialists, and system administrators.

Categories of HTTP Headers

Response headers can be divided into several main categories:

Caching Headers

Cache-Control

The most important header for cache management. It defines who can cache the response, for how long, and under what conditions.

Key directives:

• public — the response can be cached by any intermediary cache (CDN, proxy)
• private — only the user's browser can cache the response (not CDN)
• max-age=N — the response is considered fresh for N seconds
• no-cache — caching is allowed, but freshness must be validated with the server before use
• no-store — do not cache at all (for confidential data)
• immutable — the resource will never change (files with a hash in the name)
• stale-while-revalidate=N — a stale cached version can be served while revalidation happens in the background

You can check your site's caching headers using the enterno.io HTTP header checker tool.

ETag

ETag (Entity Tag) is a unique identifier for a specific version of a resource. On subsequent requests, the browser sends If-None-Match with the stored ETag. If the resource hasn't changed, the server returns 304 Not Modified without the response body, saving bandwidth.

# First request — 200 response with ETag
HTTP/1.1 200 OK
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

# Subsequent request — client sends If-None-Match
GET /style.css HTTP/1.1
If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"

# Response — 304, no body transferred
HTTP/1.1 304 Not Modified

Last-Modified and If-Modified-Since

An alternative to ETag based on the last modification time. Less precise (1-second resolution) but simpler to implement. ETag takes precedence when both headers are present.

Expires

A legacy header that sets an absolute cache expiration date. Cache-Control: max-age takes priority over Expires. Use Expires only for compatibility with very old clients.

Security Headers

Content-Security-Policy (CSP)

CSP is a powerful mechanism for protecting against XSS and content injection attacks. It defines where a page can load scripts, styles, images, and other resources from.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.example.com

Start with Content-Security-Policy-Report-Only mode — it doesn't block resources but only sends reports about violations.

Strict-Transport-Security (HSTS)

HSTS forces the browser to always use SSL/TLS проверку for the given domain. This prevents downgrade and SSL-stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The preload directive allows adding the domain to the built-in HSTS list in Chrome, Firefox, and Safari browsers.

X-Frame-Options

Protects against clickjacking attacks by preventing the page from being embedded in a frame. Use DENY or SAMEORIGIN. The modern alternative is the frame-ancestors directive in CSP.

X-Content-Type-Options

The nosniff value prevents the browser from "guessing" the MIME type of the content, preventing MIME-sniffing attacks. Always enable this header.

Referrer-Policy

Controls how much referrer information is passed when navigating to another site. The recommended value is strict-origin-when-cross-origin.

Permissions-Policy

Controls access to device API документацию: camera, microphone, geolocation, payments. Disable unused capabilities:

Permissions-Policy: camera=(), microphone=(), geolocation=(self), payment=()

Content Headers

Content-Type

Specifies the MIME type of the response body. Always include charset for text types:

Content-Type: text/html; charset=utf-8
Content-Type: application/json; charset=utf-8
Content-Type: image/webp

Content-Encoding

Indicates the compression algorithm used for the response body:

• gzip — standard compression, supported by all browsers
• br — Brotli, 15–20% more efficient than gzip
• zstd — Zstandard, supported in modern browsers

If your site doesn't return Content-Encoding, compression is not configured — this is a serious performance issue.

CORS Headers

Cross-Origin Resource Sharing headers define the rules for cross-domain requests:

• Access-Control-Allow-Origin — which domains can access the resource
• Access-Control-Allow-Methods — allowed HTTP methods
• Access-Control-Allow-Headers — allowed request headers
• Access-Control-Max-Age — how long the preflight response can be cached
• Access-Control-Allow-Credentials — whether cookies can be sent

For more on configuring CORS securely, read our article on API security.

The Server Header and Information Security

The Server header reveals the web server's name and version, while X-Powered-By reveals the server-side language or framework. This information helps attackers select exploits.

Recommendations:

• Remove or minimize the Server header (e.g., just Server: nginx without the version)
• Completely remove X-Powered-By
• Remove X-AspNet-Version, X-AspNetMvc-Version, and similar headers

How to Analyze Headers

To analyze headers, use:

• enterno.io — quick header check for any website with detailed analysis
• Chrome DevTools → Network → Headers — view headers in the browser
• curl — curl -I https://example.com to view headers in the terminal

Optimal Headers Checklist

1. Cache-Control configured for all resource types
2. Content-Encoding: br or gzip for text resources
3. Content-Security-Policy restricts content sources
4. Strict-Transport-Security with a long max-age
5. X-Content-Type-Options: nosniff enabled
6. X-Frame-Options or CSP frame-ancestors configured
7. Referrer-Policy limits referrer exposure
8. Permissions-Policy disables unused APIs
9. Server header doesn't reveal the version
10. X-Powered-By removed