Developer Network Utility
HTTP Header Analyzer
Paste HTTP response headers to check security headers, cache policy, CORS settings, content type, and cookie security options in one place.
HTTP Header Input
Paste response headers copied from your browser DevTools Network tab or from curl -I output.
Enter response headers and run the analysis.
Analysis Result
Check whether major HTTP headers exist and whether their recommended status is good, warning, or risky.
Parsed Headers
Displays the entered response headers as key-value pairs.
Detailed Report
Copy or download the analysis result as a server configuration improvement checklist.
Enter HTTP response headers, then click Analyze HTTP Headers.
Header Check Categories
HTTP headers include items directly related to operational quality, such as security, cache, CORS, and cookie policies.
HSTS, CSP, X-Frame-Options, and X-Content-Type-Options help enforce HTTPS, prevent clickjacking, and reduce MIME sniffing.
Cache-Control, ETag, and Expires are used to evaluate browser and CDN cache strategies.
Access-Control-Allow-Origin and Set-Cookie options are important for checking external request permissions and session security.
Help
What is HTTP Header Analyzer?
HTTP Header Analyzer is a free developer utility that checks website response headers for security, cache, CORS, content type, and cookie security settings.
Use it to review Nginx, Apache, Django, Node.js, CDN, or reverse proxy settings, and to find missing security headers before deployment.
Main Check Items
- Strict-Transport-Security: whether HTTPS is enforced
- Content-Security-Policy: limits script, image, and frame sources
- X-Frame-Options: helps prevent clickjacking
- X-Content-Type-Options: helps prevent MIME type sniffing
- Referrer-Policy: controls referrer information sent during navigation
- Permissions-Policy: limits browser feature permissions
- Cache-Control: browser cache policy
- Set-Cookie: checks Secure, HttpOnly, and SameSite options
Useful For
- Checking missing security headers before website deployment
- Reviewing Nginx or Apache response header settings
- Checking security headers for Django, Node.js, or Spring services
- Inspecting cache policy after CDN setup
- Troubleshooting CORS issues
- Reviewing cookie security options
Where can I find HTTP headers?
You can copy Response Headers from the Network tab in browser DevTools, or use curl -I https://example.com in a terminal.
Should HSTS always be enabled?
HSTS is a strong security header that enforces HTTPS. Enable it when your entire site and subdomains work reliably over HTTPS. Misconfiguration can affect subdomains that still require HTTP.
Is it risky not to have CSP?
Content-Security-Policy helps mitigate XSS attacks. However, apply it gradually after identifying the scripts, images, and CDN sources your service actually uses.
How should Cache-Control be configured?
Static assets such as images, CSS, and JS can usually use longer cache durations, while HTML or user-specific responses may require shorter cache or no-cache strategies.
Is Access-Control-Allow-Origin: * safe?
It can be acceptable for public APIs or static resources, but use caution with authenticated requests. APIs using cookies or tokens should restrict allowed origins explicitly.
Why are Set-Cookie security options important?
Secure sends cookies only over HTTPS, HttpOnly restricts JavaScript access to cookies, and SameSite helps reduce CSRF risk.
Does this tool complete a full security audit?
No. This tool quickly checks pasted HTTP header text. Real security also depends on server configuration, application code, authentication, cookie policy, and HTTPS setup.