HTTP Header & Status Monitoring

Verify security headers and redirect chains on every check.

HTTP response headers control security policies, caching behavior, and redirect chains — and they change silently when servers are misconfigured or updated. NetTests fetches your URLs on a schedule, inspects the full response headers, and alerts when critical headers disappear, change value, or redirect chains behave unexpectedly.

Security headers break silently after server changes

Security headers like HSTS, Content-Security-Policy, X-Frame-Options, and Referrer-Policy are often configured at the web server or CDN layer. When a server is updated, a CDN configuration is changed, or traffic is routed differently, these headers can disappear without warning — removing protections that were silently preventing clickjacking attacks, mixed content, and cross-site scripting.

Redirect chains are equally fragile. An HTTP → HTTPS redirect that adds an extra hop, a www to non-www redirect that was dropped during a migration, or a canonical URL redirect that now points to the wrong destination — all are invisible to uptime monitoring but detectable with header inspection.

The cost of missing these regressions is rarely immediate, which is exactly what makes them dangerous. A dropped CSP header doesn't trigger an outage — it just quietly removes a layer of defense until the day an attacker relies on its absence. A broken canonical redirect doesn't 500 — it just bleeds search ranking and sends a fraction of visitors to the wrong page for weeks before anyone notices.

How NetTests HTTP monitoring works

NetTests fetches your configured URLs on a schedule and captures every response header exactly as your server or CDN sent it, without normalization that could mask a misconfiguration. Each header's value is compared against the previous successful check, and any addition, removal, or change is recorded as an explicit diff rather than a vague "something changed" notice.

Redirect chains are followed end to end: NetTests records every hop from the initial request to the final destination, including the status code and Location header returned at each step. This catches an extra hop introduced during a migration, a redirect loop, or a canonical URL that silently started pointing somewhere unexpected — all conditions that a simple "did it return 200" check would miss entirely.

Alerts reach your team through email, Slack, Microsoft Teams, or SMS — choose any combination per monitor, and decide whether a single failed check should fire an alert or whether NetTests should wait for a failure to repeat across a configurable number of consecutive checks first. The dashboard lists every monitored URL with its current header set and status code, and lets you open any past check to see exactly what changed and when. Time to first alert is typically under a minute from the moment a check fails.

Failure conditions are configurable per monitor and per header. You can require an exact header value, flag any change in either direction, or alert only when a specific header disappears entirely — useful for a header like CSP, where the precise policy may evolve over time but its presence is non-negotiable. Status code rules work the same way: treat the whole 2xx range as healthy, or pin a monitor to one exact code if your endpoint's contract requires it. Every check result, including the full header set and status code observed, is retained so you can reconstruct exactly what a URL was serving at any point in its history.

Key features

Security header monitoring

Track HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on every check.

Redirect chain inspection

Follow and record the complete redirect chain for each URL — detect unexpected hops or destination changes.

Header change detection

Alert when a header value changes or a header is removed — catching misconfigurations as soon as they occur.

Status code tracking

Monitor for unexpected status code changes — a 200 becoming a 301, or a 301 becoming a 404.

Caching header validation

Track Cache-Control, ETag, and Expires headers — catch CDN misconfigurations that serve stale or unintended content.

Configurable alert sensitivity

Alert on the first failed check, or require a configurable number of consecutive failures to filter out transient blips.

Full check history

Every header set and status code is stored, so you can pinpoint exactly when a regression was introduced.

SSL correlation

View header and certificate status side by side on HTTPS endpoints — both layers, one dashboard.

What you'll see

Every header checked against its last known value, with a diff the moment something changes — so you're never left guessing what was actually different about the response.

Header Monitor — acme.com HEADER VALUE STATUS Strict-Transport-Security max-age=63072000 Unchanged X-Frame-Options DENY Unchanged Content-Security-Policy (missing) Removed Cache-Control public, max-age=300 Unchanged Alert sent — Content-Security-Policy header removed
Example monitor — illustrative data

Not ready to commit?

Try the free HTTP Headers tool first. Inspect your current response headers and redirect chain right now, with no account required, then set up continuous change detection on a schedule when you're ready.

Try the free tool →

Free HTTP inspection tools

Run a one-off header or status check now, or turn it into a scheduled monitor.

Frequently asked questions

What is HTTP header monitoring?

HTTP header monitoring checks the response headers your server returns on every request — security headers, caching directives, and redirect behavior — and alerts you when they change unexpectedly. It catches misconfigurations that a basic uptime check would miss, since the page can return a perfectly healthy 200 status while a critical header is silently missing.

Which security headers should I monitor?

Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are the headers most commonly relied on for baseline web security. Each protects against a different risk — HSTS against protocol downgrade, CSP against cross-site scripting, X-Frame-Options against clickjacking — so losing any one of them silently removes a specific layer of defense.

How does NetTests detect a header change?

Every scheduled check captures the full response header set and compares it against the last successful check. Any header that is added, removed, or has a different value is recorded as an explicit diff, and an alert is dispatched according to the sensitivity you've configured for that monitor.

What's the difference between HTTP monitoring and website monitoring?

Website monitoring typically asks one question: did this URL return a successful status code? HTTP header monitoring goes further, inspecting the actual headers and following the full redirect chain on every check. A page can return 200 while still failing an HTTP monitor — for example, if a security header was dropped or a redirect now points somewhere unexpected.

Can header monitoring catch a broken redirect?

Yes. NetTests follows the complete redirect chain for each monitored URL and records the status code and destination at every hop. An extra hop added during a migration, a redirect loop, or a canonical redirect that now points to the wrong page are all flagged as a change from the established baseline.

How quickly will I know if a header disappears?

Time to first alert is typically under a minute from the moment a check detects the change. You can choose to alert on the very first failed check, or require the change to persist across a configurable number of consecutive checks if you'd rather filter out transient anomalies before your team is notified.

Monitor your HTTP headers automatically

NetTests inspects your response headers on a schedule and alerts when security headers change or disappear — catching misconfigurations before they become vulnerabilities.

Start monitoring free →
No credit card required  ·  Free plan available