HTTP Header
Inspector

Enter the URL into this tool and it traces every redirect hop, showing each 301 and 302 with its target. A redirect loop happens when URL A redirects to URL B, which redirects back to A. Common causes include conflicting redirect rules in .htaccess, WordPress settings not matching your actual domain, or your CDN and server both adding a www or HTTPS redirect. The chain view shows exactly where the loop occurs.

HTTP security headers are your first line of defence. This tool checks your site for all eight major headers: Strict-Transport-Security (forces HTTPS), Content-Security-Policy (prevents XSS), X-Frame-Options (blocks clickjacking), X-Content-Type-Options (stops MIME sniffing), Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy. Each header is graded and the overall score runs from A+ to F.

Quite likely. This tool shows your Cache-Control, ETag, Expires, and Vary headers. If Cache-Control is set to no-cache or no-store, browsers re-download everything on every visit. A properly configured caching policy lets browsers store static assets locally, so repeat visitors load pages much faster without unnecessary network requests.

Enter any old URL into this tool to trace the full redirect chain. It shows each hop (301 permanent, 302 temporary), the target of each redirect, and the final destination. If redirects are misconfigured, you'll see them going to the wrong page, using 302 instead of 301, or creating unnecessary extra hops that slow things down.

One redirect is normal (HTTP to HTTPS, or non-www to www). Two is acceptable. Three or more starts hurting performance and can confuse search engines. Every redirect adds 50-200ms of latency. Google follows up to 10 redirects but recommends keeping chains as short as possible. If you see 3+ hops, consolidate them into a single redirect from the original URL to the final destination.

Yes. Headers like Server: Apache/2.4.52 or X-Powered-By: PHP/8.2 tell attackers exactly what software to target. This tool flags exposed version information. To fix it: in Apache, add ServerTokens Prod. In Nginx, add server_tokens off. For PHP, set expose_php = Off in php.ini. Your hosting provider may also offer this as a control panel setting.

HSTS (Strict-Transport-Security) tells browsers to always connect over HTTPS, even if someone types http://. Without it, the first request to your site goes over plain HTTP before redirecting, which creates a window for man-in-the-middle attacks. This tool checks whether your site sends the HSTS header and shows the max-age value. If it's missing, your HTTPS setup has a gap.

CSP tells the browser which sources of content are trusted on your page. Without it, your site is more vulnerable to cross-site scripting (XSS) attacks. A basic policy like default-src 'self' only allows content from your own domain. You add it via your server config, CDN settings, or a WordPress security plugin. Start with a report-only policy first to avoid accidentally breaking your site. This tool checks for CSP and it carries the most weight in the security grade.

A 301 is permanent: it tells search engines the page has moved for good, and link authority passes to the new URL. A 302 is temporary: search engines keep the original URL indexed. Use 301 for permanent moves (HTTP to HTTPS, domain changes, restructured URLs). Use 302 only for genuinely temporary situations like A/B tests. This tool labels every redirect in the chain so you can check the correct type is being used.

Each of the eight security headers carries a weighted score based on how much protection it provides. Content-Security-Policy and Cross-Origin-Opener-Policy carry the most weight. HTTPS gets a baseline bonus. The total maps to a letter grade: A+ is a perfect 100, A is 90-99, B is 70-89, C is 50-69, D is 30-49, and F is below 30.