HTTP Header Analyzer

Paste HTTP response headers to get a security audit, caching analysis, and CORS check with copy-paste fix snippets.

Response Headers

Paste HTTP response headers above to analyze

Copy headers from browser DevTools (Network tab) or curl -I output

What This Tool Does

Security Audit

Checks 7 critical security headers: HSTS, CSP, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy. Each header gets a pass/warn/fail rating with detailed explanations of the risks.

Caching Analysis

Parses Cache-Control directives and explains them in plain English. Checks Expires, ETag, Last-Modified, Vary, and Age headers. Identifies missing conditional request support and suboptimal caching strategies.

CORS Check

Analyzes Access-Control-Allow-Origin, Methods, Headers, Credentials, Max-Age, and Expose-Headers. Flags dangerous configurations like wildcard origins with credentials, and explains preflight caching behavior.

How to Get Your Headers

Browser DevTools

Open DevTools (F12) > Network tab > click any request > Headers tab > copy the Response Headers section and paste here.

curl

Run curl -I https://example.com in your terminal. This shows only the response headers. Paste the entire output here.

SvelteShip Skip the boilerplate. Auth, Stripe, dashboards — a complete SvelteKit SaaS starter.
From $49 →

Related Tools

.e .env Toolkit

Parse, validate, diff, and convert .env files. Generate .env.example, export to Docker/K8s.

G> Git Commands

Search, build, and copy Git commands with workflow templates.

JSON Validator

Validate JSON and see exactly where errors are.

From the makers of JSON Knife

SvelteUI Pro
45+ Svelte 5 components. Copy-paste into your project. From $49.
SvelteShip
Launch your SaaS faster. Auth, Stripe, dashboards — pre-built in SvelteKit. From $49.
MetaScrape API
Extract OG tags, metadata, and JSON-LD from any URL. Free tier included.
AccessiDrop
Accessibility monitoring for agencies. Free scanner. From $15/mo.
QuoteSnap
Professional quotes for tradespeople. Create, send, track. Free to start.

New tools every week

Get notified. No spam.

How to Analyze HTTP Headers for Security

HTTP response headers control critical security behaviors — content security policies, frame embedding, HTTPS enforcement, and cross-origin access. This HTTP header analyzer audits your headers and scores them on security best practices, with specific fix snippets for Nginx, Apache, Express, and Cloudflare.

Unlike online scanners that require a live URL, this tool works with pasted headers — meaning you can analyze headers from staging environments, localhost, or curl output without exposing internal services to a third-party scanner. Everything runs in your browser; no data is sent anywhere.

The analyzer checks seven security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy), evaluates your caching configuration, and audits CORS settings. Each check includes a plain-English explanation of what the header does and why it matters, plus ready-to-use configuration snippets you can paste directly into your server config.

Tips

  • Get headers from any URL with: curl -I https://example.com — then paste the output directly into this tool.
  • Strict-Transport-Security with max-age=31536000; includeSubDomains; preload is the gold standard for HSTS. Shorter max-age values weaken the protection.
  • A Content-Security-Policy with unsafe-inline or unsafe-eval significantly weakens XSS protection. Consider using nonces or hashes instead.
  • Access-Control-Allow-Origin: * is fine for public APIs, but never combine it with Access-Control-Allow-Credentials: true — browsers will reject the request.