HTTP Headers Checker

Inspect the exact request headers your browser is sending right now — or paste any URL to see its response headers, TLS info, and redirect chain. Free, no signup, server-side proxy so CORS never gets in the way.

Request & response headers • TLS version & cert • Redirect chain • Cloudflare / Akamai / DataDome signal detection

Your User-Agent

Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; [email protected])

⚠ Looks like a bot14 headers

Tip: opinionated bot/browser guess based on presence of Sec-CH-UA + Accept-Language. Easy to tune in the source.

Header	Value	Category	What it means
host	scrappey.com	Identity	The target host. HTTP/2 uses :authority instead.
x-forwarded-for	216.73.216.255,104.23.197.234	Other
cf-ray	a036721afb4d90c0-CMH	Other
accept	/	Content-Negotiation	Which MIME types the client can render. Real browsers send a rich list, scripts often send /.
user-agent	Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; [email protected])	Identity	Identifies the client software. The single most-checked header by anti-bot systems.
cdn-loop	cloudflare; loops=1	Other
cf-connecting-ip	216.73.216.255	Other
cf-ipcountry	US	Other
cf-visitor	{"scheme":"https"}	Other
x-forwarded-proto	https	Other
x-cloud-trace-context	c9d7a5c4f459639628c0aa3ed00e92fa/6773571444947887446	Other
traceparent	00-c9d7a5c4f459639628c0aa3ed00e92fa-5e008f575cd92556-00	Other
forwarded	for="104.23.197.234";proto=https	Other
accept-encoding	gzip, br	Content-Negotiation	Compression supported (gzip, br). Browsers always send this.

What are HTTP headers?

HTTP headers are key/value metadata that browsers and servers exchange on every request and response. Request headers tell the server who the client is (User-Agent), what content it understands (Accept, Accept-Language) and what state to maintain (Cookie). Response headers carry back the same kind of metadata about the document: its content type, caching rules, cookies to store, security policies, and clues about which CDN or WAF the request hit.

Why HTTP headers matter for web scraping

Almost every modern anti-bot system makes its first decision based on headers alone — before a single byte of HTML is rendered. A request with a stock python-requests/2.x User-Agent and no Accept-Language is flagged as a bot in microseconds. Sites use Accept-Language to infer geo, Sec-CH-UA-* client hints to cross-check the User-Agent, Referer to verify the click came from a real page, and Cookie to keep a session continuous. On the response side, Set-Cookie: __cf_bm, cf-ray, Server: cloudflare, or _abck tell you immediately whether you're up against Cloudflare Bot Management, Akamai, or DataDome. Reading both sides of the header conversation is the fastest way to debug a scraper that suddenly stopped working.

Common headers a scraper needs to send

Header	Purpose	Example
User-Agent	Identifies your client	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ... Chrome/120
Accept	Acceptable response MIME types	text/html,application/xhtml+xml,/;q=0.8
Accept-Language	Preferred languages	en-US,en;q=0.9
Accept-Encoding	Compression support	gzip, deflate, br
Referer	Linking page	https://www.google.com/
Cookie	Session state	sessionid=abc123; csrftoken=xyz
Sec-CH-UA	Client hint: browser brand	"Chromium";v="120", "Not.A/Brand";v="24"
Sec-CH-UA-Platform	Client hint: OS	"Windows"
Sec-Fetch-Site	Fetch metadata: origin relation	cross-site
Upgrade-Insecure-Requests	Prefer HTTPS	1

Common headers a scraper sees in responses

Header	What it tells you
Server	Origin or CDN name. cloudflare, akamai, nginx, Apache, etc.
cf-ray	Cloudflare request ID — confirms Cloudflare and which datacenter served you.
Set-Cookie: __cf_bm	Cloudflare Bot Management session cookie. Must be replayed on follow-up requests.
Set-Cookie: _abck	Akamai Bot Manager session cookie.
Set-Cookie: datadome	DataDome bot protection cookie.
X-RateLimit-Limit / -Remaining / -Reset	Rate-limit budget exposed to the client.
Retry-After	Server asks you to back off this many seconds (or until this date).
Strict-Transport-Security	HSTS — browsers will refuse plain http:// for max-age.
X-Frame-Options	Whether the page can be loaded in an iframe.

How to set custom headers in Python, cURL, and Node.js

# Python (requests)
import requests
headers = {
    "User-Agent": "Mozilla/5.0 ...",
    "Accept-Language": "en-US,en;q=0.9",
    "Referer": "https://google.com/",
}
r = requests.get("https://example.com", headers=headers)
print(r.status_code, r.headers)

# cURL
curl -sI \
  -H "User-Agent: Mozilla/5.0 ..." \
  -H "Accept-Language: en-US,en;q=0.9" \
  https://example.com

// Node.js (built-in fetch)
const res = await fetch("https://example.com", {
  headers: {
    "User-Agent": "Mozilla/5.0 ...",
    "Accept-Language": "en-US,en;q=0.9",
  },
});
console.log(res.status, Object.fromEntries(res.headers));

Frequently asked questions

What's the difference between request and response headers?

Request headers are metadata your client sends with each request (User-Agent, Accept, Cookie). Response headers are metadata the server sends back with the body (Content-Type, Set-Cookie, Cache-Control). Both directions are key/value pairs; the names overlap but the meaning depends on direction.

Which headers does Cloudflare check?

Cloudflare Bot Management looks at User-Agent, Accept, Accept-Language, Accept-Encoding, Sec-CH-UA-* client hints, TLS JA3/JA4 fingerprint, and HTTP/2 frame ordering. Pure header rotation rarely defeats it — the TLS handshake and HTTP/2 fingerprint matter as much as the headers themselves.

How can I see what headers my Python scraper is sending?

Use `print(prepared.headers)` after `req = requests.Request(...); prepared = req.prepare()`. Or run your code against an echo server like https://httpbin.org/headers — its JSON response is literally the request headers it received.

Is changing the User-Agent enough to avoid detection?

No. A current User-Agent is the bare minimum, but modern anti-bot systems cross-check it against Sec-CH-UA client hints, the TLS fingerprint, HTTP/2 settings, and whether you load JS/CSS like a real browser. If only the UA changes, the inconsistency is itself a bot signal.

Are HTTP headers case-sensitive?

No, header names are case-insensitive per RFC 7230. `Content-Type`, `content-type`, and `CONTENT-TYPE` all parse identically. Some HTTP/2 implementations require lowercase on the wire, but every well-behaved parser folds case before lookup. Values, however, ARE case-sensitive — `gzip` and `GZIP` mean different things to some legacy servers.

Integrations

n8n

Automate workflows visually. Streamline data collection processes.

n8n Template

Pre-built template for modern websites. Simplifies Scrappey integration.

RapidAPI

Access via API marketplace. Easy integration with comprehensive docs.

Apify

Scalable actor-based automation. Reliable browser rendering.

MCP Server

AI-powered browser automation. Intelligent session management.

Scrappey CLI

Scrape from your terminal. One command, pipeable output, CI-ready.

Claude Code Skill

Portable skill for Claude Code + Codex. Browser-backed data access on demand.

LangChain

LangChain connector — clean web data for any chain or agent.

LlamaIndex

LlamaIndex reader — load modern web pages straight into RAG.

Zapier

Connect with 7,000+ apps. Automate workflows easily.

Make

Visual workflow automation. Connect with 1,000+ apps easily.

Start building with Scrappey

Try It For Free. No Subscription Required. No Credit Card Required. Instant Set-Up. 150 Free Requests Are Waiting For You!

Join our ✨ Discord ✨ community