See What Your Server’s Telling Browsers
Your site’s not caching properly. Pages that should be cached for an hour are getting re-fetched on every request. Is it a Cache-Control header issue? A missing ETag? Or is your CDN overriding your cache headers entirely?
Enter any public URL and see every HTTP response header in a clean table. Status code at the top, then every header/value pair the server returned. Security headers, caching directives, content type, server identification, CORS headers — everything.
The Security Header Checklist
After checking the status code, scan for these headers. If they’re missing, your site has security gaps:
Strict-Transport-Security (HSTS). Forces browsers to use HTTPS for all future connections. Without it, a man-in-the-middle can downgrade the connection to HTTP on the first visit.
Content-Security-Policy (CSP). Controls which domains can serve scripts, styles, and other resources. Missing CSP = no XSS protection at the browser level. The CSP Generator on Toolsvu can help you build one.
X-Content-Type-Options: nosniff. Prevents browsers from guessing the content type. Without it, an attacker might trick the browser into executing a file that was supposed to be an image.
X-Frame-Options. Controls whether your page can be embedded in iframes. Set it to DENY or SAMEORIGIN to prevent clickjacking attacks.
Referrer-Policy. Controls how much URL information is sent in the Referer header when users navigate away. strict-origin-when-cross-origin is a solid default.
Performance Headers
Cache-Control tells browsers and CDNs how to cache the response. max-age=3600 means “cache this for one hour.” no-store means “never cache.” If your API responses are being cached when they shouldn’t be (or not cached when they should be), this header is the first place to check.
ETag is a content fingerprint. Browsers send it back in subsequent requests, and the server can respond with 304 Not Modified if the content hasn’t changed. Saves bandwidth.
Vary tells CDNs which request headers affect the response. Vary: Accept-Encoding means the server might return different content based on whether the client supports gzip or brotli.
Debugging Workflow
Your redirect chain seems wrong — the page goes through three 301s before reaching the final URL. Analyze each URL in the chain to see where each redirect points.
Your API returns application/json in development but text/html in production. The Content-Type header shows you what the server is actually sending, regardless of what you expect.
Your CDN isn’t caching assets. Check whether the origin server’s Cache-Control header includes private (which tells CDNs not to cache) or whether Vary: * is set (which makes caching nearly impossible).
The SSL Certificate Checker handles HTTPS certificate details. The URL Availability Checker does a simpler up/down check. The DNS Lookup shows the domain’s DNS records.