π HTTP Header Checker for Troubleshooting β Old-vs-New: Diagnose Header Changes, Redirect Shift & Cache Breakage
Something broke after the deployment. The CDN isn't caching. CORS errors are flooding the browser console. The redirect from /old-page to /new-page is sending users to a 404. You know it's a header problem β but which header, out of the dozens in every HTTP response? The old-vs-new comparison workflow gives you the answer in 60 seconds: check the current headers, compare them against what they were before the change, and the diff pinpoints exactly which header changed, to what, and when. No guessing. No log-diving. One diff, one answer, one fix.
π§ Compare Headers Old-vs-New β Freeπ΄ Old Way: The Traditional HTTP Header Troubleshooting Nightmare
Before the HTTP Header Checker β and before the old-vs-new comparison methodology β troubleshooting an HTTP header problem was a multi-hour forensic exercise. The symptoms would appear: users report slow page loads (Cache-Control changed), the frontend team reports CORS errors (Access-Control-Allow-Origin changed), the security scanner flags missing HSTS on the login page (Strict-Transport-Security removed). The developer or SRE would then begin a tedious, manual investigation:
First, they'd SSH into a server and run curl -I https://example.com/affected-page. The raw header output would appear β 20 to 40 lines of header key-value pairs. They'd try to remember what the headers looked like before the deployment. Unless they had a photographic memory, they couldn't. They'd check the CDN dashboard to see if cache-hit ratios had changed. They'd review the deployment diff β hundreds of lines of code and configuration changes β looking for anything that might affect HTTP headers. They'd search for "Cache-Control" or "CORS" in the diff, but header-affecting changes are often indirect: a framework version bump, a middleware reorder, a new plugin that adds default headers. They'd check server configuration files β Nginx, Apache, CloudFront, Cloudflare β looking for recent changes. They'd ask the team: "Did anyone change anything related to HTTP headers?" The answer, invariably, is "No β nothing that should affect headers."
After 30-60 minutes of investigation, they'd identify the header change β but only after manually re-running curl -I against staging (which still had the old headers) and comparing the output line by line against production. The root cause was a one-line header change buried in a 200-line configuration update that nobody flagged during code review because HTTP headers are invisible in standard code diffs. The fix takes five minutes. Finding the fix took an hour.
π’ New Way: The Old-vs-New Comparison β 60 Seconds to Root Cause
The HTTP Header Checker's old-vs-new comparison workflow collapses the hour-long troubleshooting process into a 60-second diagnostic. Here's the method:
Step 1 β Capture the current state. Paste the affected URL into the HTTP Header Checker. In seconds, you see every response header β the status code, Content-Type, Cache-Control, CORS headers, security headers, redirect chain, and custom headers β all in a structured, searchable format. This is your "new" state. The symptom is visible: a missing Access-Control-Allow-Origin header, a Cache-Control: private, no-store where before there was public, max-age=3600, a missing Strict-Transport-Security on an HTTPS page.
Step 2 β Retrieve the old state. Check your header baseline β the JSON snapshot of headers captured before the last deployment, stored in your monitoring pipeline, CI/CD artifacts, or infrastructure repository. If you have a baseline, this step is instant. If you don't have a baseline, check alternative sources: the Wayback Machine for public URLs (it archives response headers), CDN logs (some CDNs log headers with request data), or the staging environment (if it hasn't been updated to the current deployment yet). For internal APIs, check your API gateway logs or monitoring tools that may have captured response headers during health checks.
Step 3 β Compare old vs new side by side. Load both header sets into the checker. The diff highlights every change with color coding: green for headers that were added (present in new, absent in old), red for headers that were removed (present in old, absent in new), yellow for headers whose values changed (present in both but with different values). For each changed header, you see the exact before and after values.
In the vast majority of header-related incidents, the diff reveals a single header change that explains all the symptoms. The Cache-Control value changed, the CDN stopped caching, and page-load times spiked. The Access-Control-Allow-Origin header disappeared, the browser blocked all cross-origin API requests, and the frontend broke. The Location header in the redirect rule changed, users are being sent to a different URL, and the marketing team reports broken links. The old-vs-new diff pinpoints the root cause in seconds β and the developer who made the deployment change can fix it immediately because they know exactly what changed.
π Side-by-Side: Old-vs-New Header Comparison in Action
Here's what the old-vs-new comparison looks like for the three most common header-related production incidents. Each shows the old state (before the breaking change), the new state (after), and the diagnostic conclusion.
ποΈ Scenario 1: CDN Cache Hit Ratio Dropped from 94% to 7%
Symptoms: Users report slow page loads. CDN dashboard shows cache-hit ratio plummeted. Origin server CPU spiked 12Γ. The deployment 4 hours ago updated the web framework from v3.2 to v3.3 β a "minor version bump" that shouldn't have changed anything.
π΄ OLD (Before Deploy β CDN Caching Works)
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cache-Control: public, max-age=3600 ETag: "abc123" Vary: Accept-Encoding
π’ NEW (After Deploy β CDN Not Caching)
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cache-Control: private, no-store ETag: "abc123" Vary: Accept-Encoding
Diagnosis: The framework upgrade changed the default Cache-Control header from public, max-age=3600 to private, no-store. The CDN respects Cache-Control directives: public means "any cache can store this," private means "only the browser can cache this," and no-store means "don't cache this at all." The CDN stopped caching every page. The fix: override the framework's new default by explicitly setting Cache-Control: public, max-age=3600 in the server or CDN configuration.
ποΈ Scenario 2: Frontend Broke β All API Calls Return CORS Errors
Symptoms: The frontend team reports that every API call from the browser returns "No 'Access-Control-Allow-Origin' header is present." The backend team confirms the API returns 200 with correct JSON β testing with curl works fine. The deployment 2 hours ago added rate-limiting middleware to the API gateway.
π΄ OLD (Before Deploy β CORS Works)
HTTP/1.1 200 OK Content-Type: application/json Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Authorization, Content-Type Vary: Origin
π’ NEW (After Deploy β CORS Broken)
HTTP/1.1 200 OK Content-Type: application/json Vary: Origin
Diagnosis: The new rate-limiting middleware was added to the request pipeline before the CORS middleware. When a preflight OPTIONS request arrived (which browsers send before cross-origin requests), the rate-limiting middleware handled it and returned a response without CORS headers β the CORS middleware never ran. The preflight failed, the browser blocked the actual request, and every API call from the frontend broke. The fix: reorder the middleware so CORS middleware runs before rate-limiting, or configure the rate-limiting middleware to pass through OPTIONS requests without processing.
ποΈ Scenario 3: Redirect Chain Changed β Marketing Campaign Links Broken
Symptoms: The marketing team reports that links in their email campaign β using the URL /promo/summer-sale β are sending users to a 404 page. The redirect from /promo/summer-sale to /sale/summer-2026 was working yesterday. A deployment this morning updated the site's URL routing configuration.
π΄ OLD (Before Deploy β Redirect Works)
Hop 1: 301 Moved Permanently Location: /sale/summer-2026 Hop 2: 200 OK (Summer sale landing page)
π’ NEW (After Deploy β Redirect Broken)
Hop 1: 301 Moved Permanently Location: /sales/summer-2026 Hop 2: 404 Not Found (/sales/ doesn't exist β it's /sale/)
Diagnosis: The URL routing update changed the target path from /sale/summer-2026 (singular) to /sales/summer-2026 (plural) β a one-character difference that's nearly invisible in a configuration diff. The old redirect was correct; the new redirect points to a path that doesn't exist. The fix: correct the Location header back to /sale/summer-2026. The old-vs-new comparison of the redirect chains made the one-character difference immediately visible β it's obvious when the before and after Location values are displayed side by side, but nearly invisible when scanning a 200-line routing configuration update.
π§ͺ The Diagnostic Checklist: Five Steps for Every HTTP Header Incident
Use this checklist the next time an HTTP header-related incident occurs. It takes you from "something is broken" to "this specific header changed" in under five minutes β no prior HTTP header expertise required.
-
Capture current headers immediately. As soon as the incident is declared, paste the affected URL into the HTTP Header Checker and capture the complete header set. Do this before anyone makes changes to "fix" the issue β changed headers are forensic evidence, and you need the unmodified state. Save the headers as
incident-headers-new.json. Note the timestamp, the URL, and any deployment or configuration change that preceded the incident. - Retrieve the pre-incident header baseline. Check your monitoring pipeline, CI/CD artifacts, or header baseline repository for the headers that were captured before the most recent deployment. If you don't have a formal baseline, check CDN logs, API gateway logs, the Wayback Machine (for public URLs), or a staging environment that hasn't been updated. The key is to find any snapshot of what the headers looked like before the incident.
- Run the old-vs-new comparison. Load both header sets into the Checker and compare them side by side. Focus on the categories of headers most likely to cause each symptom type: CORS headers for frontend API failures, Cache-Control and related headers for CDN/performance issues, security headers for scanner/audit failures, redirect headers (Location, 3xx status codes) for broken links or wrong destinations. In most incidents, a single header change explains every symptom.
-
Trace the header change to the deployment or configuration change that caused it. Once you've identified the changed header, find the deployment, PR, or configuration update that introduced the change. The header diff tells you what changed; the deployment history tells you why. A
Cache-Controlchange after a framework upgrade suggests the new framework version changed defaults. A CORS header removal after a middleware addition suggests a request pipeline ordering issue. A redirect Location change after a routing update suggests a typo in the new configuration. - Fix the header, verify with the Checker, and update the baseline. Apply the fix β update the server configuration, reorder middleware, correct the redirect target, or override the framework default. Verify the fix by re-checking the URL in the Header Checker and confirming the old-vs-new comparison now shows only the intended changes. Update the header baseline to include the fixed state. Document the incident in the baseline with a note: which header changed, why, when, and how it was fixed β so the next engineer who encounters a similar symptom can check the baseline history and find the answer in seconds.
πΊοΈ When You Don't Have a Baseline: Alternative Sources for "Old" Headers
The old-vs-new comparison is most powerful when you have a formal header baseline β but even teams without one can reconstruct a "before" state from alternative sources. Here are the most reliable alternatives, ranked by speed and accuracy:
π Which Headers to Compare β By Symptom
Not all headers are relevant to every symptom. Here's a quick-reference mapping from symptoms to the specific headers to compare in the old-vs-new diff:
| Symptom | Headers to Compare | Most Likely Culprit |
|---|---|---|
| CDN stopped caching | Cache-Control, Expires, Vary, Set-Cookie, Age, X-Cache | Cache-Control changed to private/no-store |
| CORS errors in browser | Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Vary | CORS headers removed entirely |
| Security scanner flags missing headers | Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy | HSTS or CSP removed after config change |
| Redirects sending users to wrong page | Location (each hop), status codes (301/302/307/308), redirect count | Location header value changed |
| Browser doesn't execute JavaScript | Content-Type, X-Content-Type-Options | Content-Type changed from application/javascript to text/plain |
| API client fails to parse response | Content-Type, Content-Encoding | Content-Type changed from application/json to text/html |
| Page renders as raw HTML/JSON | Content-Type | Content-Type mismatch with response body |
| Login page downgrades to HTTP | Strict-Transport-Security, Location (redirect chain) | HSTS removed; HTTPSβHTTP redirect added |
π Pair the HTTP Header Checker With Your Troubleshooting Toolkit
The HTTP Header Checker is most powerful when paired with ToolStand's other diagnostic tools. When a header change is the root cause, use the Diff Checker to compare configuration files before and after the deployment that introduced the change. The SSL Checker verifies TLS certificate health β a critical companion when HSTS headers are involved. The URL Encoder/Decoder helps debug redirect URLs that contain special characters β a common cause of broken redirect chains. The JSON Formatter formats header baselines for readability and comparison. For broader use cases, explore HTTP Header Checker for Coding Workflow β the problem-solution guide for preventing header bugs during development β and HTTP Header Checker for DevOps β the FAQ guide for monitoring, CI/CD integration, and automated header auditing. Also check the How to Check HTTP Headers blog post for comprehensive header debugging techniques and the Web Security Headers Guide for a deep dive into every security header and its correct configuration.
β Frequently Asked Questions
How do I find exactly which HTTP header changed after a deployment?
The old-vs-new comparison workflow gives you a precise answer in under 60 seconds: (1) Use the HTTP Header Checker to fetch the current headers from the affected URL β this is your 'new' state. (2) Retrieve the header baseline from before the deployment β either from your monitoring pipeline's artifact store, your CI/CD header snapshots, or the Wayback Machine's HTTP header archives for public URLs. This is your 'old' state. (3) Compare the two header sets side by side. The diff highlights every change: headers that were added (green), headers that were removed (red), and headers whose values changed (yellow). For each change, you see the exact before value and after value. The root cause is usually one specific header change β typically Cache-Control, a CORS header, Content-Security-Policy, or a redirect Location. The old-vs-new diff pinpoints it in seconds, compared to the traditional troubleshooting approach of checking server logs (which don't log headers), reviewing the deployment diff (where header changes are buried in configuration files), and manually testing with curl -I before and after (which requires you to already know the before state).
The CDN stopped caching after a deployment β how do I find the header that caused it?
CDN caching failures are almost always caused by a single header change: Cache-Control. Use the old-vs-new comparison: check the URL's current headers (through the CDN) and compare them against the pre-deployment baseline. If Cache-Control changed from 'public, max-age=3600' to 'private, no-store', that's your root cause β the CDN respects the Cache-Control directive and stops caching. Also check: (1) Vary header β if 'Vary: User-Agent' was added, the CDN now caches separate copies for every User-Agent string, fragmenting the cache and causing apparent 'misses' for most requests. (2) Set-Cookie header β if the page now sets a cookie where it didn't before, many CDNs automatically bypass the cache for responses that set cookies. (3) Authorization header requirement β if the page now requires authentication (returns 401 without it), the CDN may not cache 401 responses. The Header Checker's old-vs-new comparison surfaces all of these changes in a single diff, so you don't have to guess which of a dozen possible causes is responsible.
How do I diagnose why CORS errors started appearing after a framework upgrade?
Framework upgrades are a common trigger for CORS header changes because they often include new default middleware, updated security configurations, or changed request-handling pipelines. To diagnose: (1) Use the HTTP Header Checker to fetch headers from the affected API endpoint after the upgrade β this is your 'new' state. (2) Retrieve the headers from before the upgrade β either from your monitoring baseline, your CI/CD artifacts, or by checking a staging environment that hasn't been upgraded yet. (3) Compare old vs new. The diff will reveal one of several possibilities: the Access-Control-Allow-Origin header was removed entirely (the framework's new default doesn't include CORS middleware), the value changed from your specific frontend domain to '*' or to a different domain, the Access-Control-Allow-Methods or Access-Control-Allow-Headers values changed (narrowing what's allowed), or the response now includes a Vary: Origin header that wasn't there before (which changes caching behaviour for CORS responses). In every case, the old-vs-new comparison identifies the exact header change responsible β you don't need to read the framework changelog, audit the middleware configuration, or reproduce the error in a local environment.
Can I compare HTTP headers between two different environments to find why a bug only appears in production?
Yes β cross-environment header comparison is one of the most powerful troubleshooting techniques for 'works in staging, broken in production' bugs. Use the HTTP Header Checker to fetch headers from the same URL path in both staging and production. Compare the two header sets side by side. Common cross-environment header differences that cause production-only bugs: (1) CORS headers β staging allows the frontend's staging domain but production doesn't allow the production frontend domain (or vice versa). (2) CSP directives β staging's CSP allows a script source that production's CSP blocks (e.g., a third-party analytics script whitelisted in staging's CSP but not production's). (3) HSTS β production enforces HSTS (requiring HTTPS) but staging doesn't, so a mixed-content issue (HTTP resource on an HTTPS page) is silently upgraded in staging but blocked in production. (4) Cache-Control β production sets aggressive caching (CDN caches for hours) while staging sets no-cache (for rapid iteration), so a stale-content bug only manifests in production. The cross-environment header diff surfaces these differences instantly, turning a multi-hour debugging session into a 60-second comparison.
How far back can I compare HTTP headers β can I check what headers looked like weeks or months ago?
Your ability to compare headers historically depends on whether you've been maintaining header baselines. If you have β through a monitoring pipeline, CI/CD artifact storage, or periodic snapshots β you can compare current headers against any historical baseline in your archive. For teams that haven't been maintaining baselines, you can establish a partial historical record using: (1) The Wayback Machine (web.archive.org) β for public URLs, the Wayback Machine archives HTTP response headers alongside page content. Check archived snapshots to see headers from weeks or months ago. (2) CDN logs β some CDNs log response headers as part of their request logs. Check your CDN's log retention. (3) Monitoring tools β if you use uptime monitoring, synthetic monitoring, or security scanners, they may have logged response headers from past checks. (4) Deployment artifacts β your CI/CD system may have stored HTTP response headers as part of integration tests, even if you weren't intentionally maintaining a header baseline. Going forward, the single most valuable step you can take is to start maintaining header baselines today β even a week of baseline data gives you a reference point for the next header-related incident.