Developer Tools
HTTP Header Analyzer - Inspect & Validate Headers
Paste HTTP response headers to get instant explanations, security scoring, cookie flag checks, CSP analysis, and actionable recommendations - all offline.
Security Score
95
Excellent
Headers
10
Issues
1
Missing Security
0
Content-TypeEntitytext/html; charset=utf-8
Media type and optional charset of the body.
Cache-ControlGeneralno-store
Caching directives for request and response.
Strict-Transport-SecuritySecuritymax-age=31536000; includeSubDomains
Forces HTTPS for all future requests (HSTS).
X-Content-Type-OptionsSecuritynosniff
Prevents MIME-type sniffing. Should be "nosniff".
X-Frame-OptionsSecurityDENY
Controls whether the page can be embedded in a frame. Partially superseded by CSP frame-ancestors.
Referrer-PolicySecuritystrict-origin-when-cross-origin
Controls how much referrer information is included with requests.
Content-Security-PolicySecuritydefault-src 'self'; script-src 'self'
Restricts resources the browser can load (scripts, styles, frames, etc.).
Permissions-PolicySecuritycamera=(), microphone=()
Controls which browser features and APIs the page can use.
ServerResponsenginx/1.24.0
Information about the server software. Avoid exposing version details.
- ⚠Exposes server technology. Consider removing to reduce fingerprinting.
Set-CookieResponsesession=abc123; Path=/; Secure; HttpOnly; SameSite=Strict
Sets a cookie on the client.
What are HTTP headers?
HTTP headers are key-value pairs sent at the start of every HTTP request and response. They control caching, authentication, content negotiation, CORS, cookies, and security policies. Understanding them is essential for web performance, security hardening, and debugging.
How to get your site's headers
- Open DevTools -> Network tab.
- Reload the page and click the main document request.
- Copy the response headers section and paste it here.
Alternatively, use curl -I https://example.com in a terminal to print only response
headers.
Security headers explained
| Header | Purpose |
|---|---|
Strict-Transport-Security | Forces HTTPS (HSTS) |
Content-Security-Policy | Restricts resource loading to prevent XSS |
X-Content-Type-Options | Prevents MIME sniffing |
X-Frame-Options | Prevents clickjacking |
Referrer-Policy | Controls referrer leakage |
Permissions-Policy | Restricts browser feature access |
CORS headers
Cross-Origin Resource Sharing (CORS) headers control whether browsers allow web pages to make requests to a different origin. Misconfigured CORS is a common source of browser errors for API and frontend developers:
-
Access-Control-Allow-Origin: specifies which origins may access the resource. Use*for public APIs; use a specific origin for authenticated endpoints. -
Access-Control-Allow-Methods: lists the HTTP methods permitted (e.g.,GET, POST, PUT, DELETE). -
Access-Control-Allow-Headers: lists which request headers the browser may send. -
Access-Control-Allow-Credentials: set totrueonly if cookies or Authorization headers are needed; cannot be combined with*origin.
Security header checklist
| Header | What it protects against |
|---|---|
Strict-Transport-Security | Forces HTTPS; prevents SSL stripping attacks |
Content-Security-Policy | Restricts resource sources to prevent XSS and data injection |
X-Content-Type-Options: nosniff | Prevents MIME-type sniffing attacks |
X-Frame-Options: DENY | Prevents clickjacking via iframe embedding |
Referrer-Policy | Controls how much referrer info is sent; prevents URL leakage |
Permissions-Policy | Restricts browser features (camera, microphone, geolocation) |
Set-Cookie flags
- HttpOnly: prevents JavaScript access (blocks XSS theft)
- Secure: only sent over HTTPS
- SameSite=Strict/Lax: prevents CSRF attacks