🔍 HTTP Headers Analyzer
Runs entirely in your browser - no data sent to server
Output appears here...
📊 Key Data Points
HSTS required
HTTPS Strict Transport Security — forces browsers to always use HTTPS, even if the user types HTTP
CSP prevents XSS
Content Security Policy is the primary defense against cross-site scripting attacks
Vary: Accept-Encoding
Required for CDNs to correctly cache both compressed and uncompressed versions
HTTP Headers Analyzer -- Complete USA Guide 2026
HTTP response headers tell you everything about how a server behaves: whether it compresses responses, what caching policy it applies, whether CORS is configured correctly, and whether security headers like HSTS and CSP are present.
This analyzer parses raw HTTP headers and explains each one. Runs in your browser.
**Long-tail searches answered here:** parse and explain HTTP response headers online, check if CORS headers are correct free tool, analyze Content-Security-Policy header online.
Pair with curl Builder to capture headers and HTTP Status Codes for status code interpretation.
🔬 How This Calculator Works
Paste raw HTTP response headers (from browser DevTools Network Response Headers, or from curl -I output). The analyzer parses each Header-Name: value line and matches it against a reference database.
For security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options), checks the value against best-practice configurations and flags issues: missing includeSubDomains on HSTS, missing default-src in CSP.
For caching headers (Cache-Control, ETag, Last-Modified, Expires), calculates the effective cache duration.
✅ What You Can Calculate
Security header audit
Checks for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy. Flags missing or misconfigured security headers that leave your app vulnerable.
CORS configuration check
Parses Access-Control-Allow-Origin, Allow-Methods, and Allow-Headers. Identifies overly permissive configurations (wildcard origins with credentials) and missing headers.
Cache behavior analysis
Calculates effective cache duration from Cache-Control, Expires, and ETags. Shows exactly how long browsers and CDNs will cache the response.
Content-Type validation
Validates that Content-Type values include charset declarations for text types and are correctly formatted for binary responses.
🎯 Real Scenarios & Use Cases
Security header audit before launch
Before launching, capture headers from your staging environment and paste here. Check that HSTS, CSP, and X-Frame-Options are all present and correctly configured.
Debugging CORS errors
Your browser throws a CORS error. Capture the response headers from the failing preflight request and paste here to see exactly which CORS header is missing.
CDN cache debugging
Your CDN is serving stale content. Paste the response headers to see whether Cache-Control is set to max-age, no-store, or missing entirely.
Performance optimization
Check whether your responses include Content-Encoding: gzip or br (Brotli). Missing compression on text responses significantly increases payload size.
💡 Pro Tips for Accurate Results
Copy headers from DevTools. In Chrome: open DevTools, Network, click any request, Response Headers, right-click, Copy. Paste the entire block here for analysis.
HSTS requires includeSubDomains. Strict-Transport-Security: max-age=31536000 without includeSubDomains leaves your subdomains unprotected. Always include includeSubDomains.
Wildcard CORS origin + credentials is forbidden. Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true is rejected by browsers. You must specify the exact origin when allowing credentials.
Remove deprecated X-XSS-Protection. X-XSS-Protection: 1; mode=block is deprecated and should be removed — it can introduce vulnerabilities in old IE. Replace with a proper CSP default-src directive.
🔗 Use These Together
🏁 Bottom Line
HTTP headers silently control security, performance, and browser behavior. A missing HSTS header means your site is vulnerable to downgrade attacks. A wrong Cache-Control means your CDN is serving stale content.
For complete HTTP debugging: build requests with curl Builder, analyze response codes with HTTP Status Codes, and measure performance with API Response Time.
How do I get HTTP response headers to analyze?
Three ways: (1) Browser DevTools: open Network tab, click any request, click the Headers tab — paste the Response Headers section here. (2) curl: curl -I https://example.com returns only headers. curl -D - https://example.com dumps headers before the body. (3) Online tools: httpbin.org/headers shows your request headers. response-headers.com shows what headers a server returns. For inspecting your own server: curl -v https://yoursite.com shows both request and response headers with the TLS handshake details.
What security headers should every website have?
The most important: Strict-Transport-Security (HSTS) — forces HTTPS for the max-age duration; start with max-age=300 and work up to max-age=31536000 (1 year) after confirming HTTPS works correctly. Content-Security-Policy (CSP) — restricts which scripts, styles, and resources the browser will load; prevents XSS. X-Frame-Options: DENY or SAMEORIGIN — prevents clickjacking by blocking iframe embedding. X-Content-Type-Options: nosniff — prevents MIME type sniffing. Referrer-Policy — controls how much referrer information is sent. Permissions-Policy — restricts access to browser APIs (camera, microphone, geolocation).
What does Cache-Control: no-store vs no-cache mean?
no-store: the response is never stored in any cache — it must be fetched fresh from the server every time. Use for responses containing sensitive data (banking, health records). no-cache: the response can be stored, but must be revalidated with the server before being served from cache (using ETag or Last-Modified). max-age=0: same effect as no-cache — cached but always revalidated. The common confusion: no-cache does not mean 'do not cache' — it means 'cache but always check'. no-store truly prevents caching. For HTML pages: no-cache (always revalidate) is usually correct. For sensitive API responses: no-store.
What is CORS and how do I read the CORS headers?
CORS (Cross-Origin Resource Sharing) is the browser security mechanism that restricts which origins can make requests to an API. Key response headers: Access-Control-Allow-Origin: * allows any origin; Access-Control-Allow-Origin: https://app.example.com allows only that origin. Access-Control-Allow-Methods lists allowed HTTP methods. Access-Control-Allow-Headers lists allowed request headers. Access-Control-Allow-Credentials: true allows cookies/auth in cross-origin requests (requires a specific origin in Allow-Origin, not *). Access-Control-Max-Age caches the preflight response. If CORS headers are missing or incorrect, the browser blocks the request even if the server returns 200.
What does the Vary header do and why does it affect caching?
Vary tells caches which request headers affect the response content. Vary: Accept-Encoding means the server may return gzip or identity (uncompressed) responses — caches must store separate copies for each encoding. Vary: Accept-Language means content varies by language. Vary: Cookie is problematic — it means cached responses differ per cookie value, which effectively disables CDN caching for that endpoint since every user has different cookies. Vary: Origin (used for CORS responses) means CDNs cache one response per requesting origin. For public API responses, minimize Vary headers to maximize CDN cache hit rates.
How do I check if my site has an A+ rating on security headers?
securityheaders.com grades your site A+ through F based on which security headers are present and correctly configured. An A+ requires at minimum: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Content-Security-Policy is the hardest to configure correctly — start with report-only mode (Content-Security-Policy-Report-Only) to see what would be blocked without actually blocking anything, then tighten the policy iteratively.
What other web and API tools are on this site?
The HTTP Status Codes reference explains every status code you might see in headers (301, 401, 429, 503). The curl Builder generates commands to retrieve and inspect headers from any URL. The JWT Decoder analyzes Authorization Bearer tokens found in request headers. The MIME Type Lookup identifies Content-Type header values. The Meta Tag Generator creates the HTML meta tags that complement HTTP headers for browser behavior. All are in the Dev Tools section.