HTTP Header Analyzer

Paste HTTP response headers to get a security audit, caching analysis, and CORS check with copy-paste fix snippets.

Response Headers

Paste HTTP response headers above to analyze

Copy headers from browser DevTools (Network tab) or curl -I output

What This Tool Does

Security Audit

Checks 7 critical security headers: HSTS, CSP, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy. Each header gets a pass/warn/fail rating with detailed explanations of the risks.

Caching Analysis

Parses Cache-Control directives and explains them in plain English. Checks Expires, ETag, Last-Modified, Vary, and Age headers. Identifies missing conditional request support and suboptimal caching strategies.

CORS Check

Analyzes Access-Control-Allow-Origin, Methods, Headers, Credentials, Max-Age, and Expose-Headers. Flags dangerous configurations like wildcard origins with credentials, and explains preflight caching behavior.

How to Get Your Headers

Browser DevTools

Open DevTools (F12) > Network tab > click any request > Headers tab > copy the Response Headers section and paste here.

curl

Run curl -I https://example.com in your terminal. This shows only the response headers. Paste the entire output here.

SvelteShip Skip the boilerplate. Auth, Stripe, dashboards — a complete SvelteKit SaaS starter.
From $49 →

Related Tools

CS CSP Builder

Build and analyze Content-Security-Policy headers visually. Generate directives, detect security issues.

OG OG Tag Preview

Preview how your page looks on Google, Facebook, Twitter/X, and LinkedIn.

.e .env Toolkit

Parse, validate, diff, and convert .env files. Generate .env.example, export to Docker/K8s.

From the makers of JSON Knife

SvelteUI Pro
45+ Svelte 5 components. Copy-paste into your project. From $49.
SvelteShip
Launch your SaaS faster. Auth, Stripe, dashboards — pre-built in SvelteKit. From $49.
MetaScrape API
Extract OG tags, metadata, and JSON-LD from any URL. Free tier included.
AccessiDrop
Accessibility monitoring for agencies. Free scanner. From $15/mo.
QuoteSnap
Professional quotes for tradespeople. Create, send, track. Free to start.

Get the JSON & API Cheat Sheet

Formatting tricks, jq commands, and common patterns — one page, zero fluff.

HTTP Header Analyzer — Test and Audit Security Headers

HTTP response headers control critical security behaviors — content security policies, frame embedding, HTTPS enforcement, and cross-origin access. This HTTP header analyzer audits your headers and scores them on security best practices, with specific fix snippets for Nginx, Apache, Express, and Cloudflare. Run an HTTP headers test in seconds by pasting the output of curl -I https://yoursite.com directly into the tool.

Unlike online scanners that require a live URL, this tool lets you analyze HTTP headers from staging environments, localhost, or curl output without exposing internal services to a third-party scanner. Everything runs in your browser; no data is sent anywhere. This makes it ideal for auditing pre-production environments, internal APIs, or any server you wouldn't expose to an external scanning service.

HTTP security headers are the first line of defense against a wide range of web attacks. Missing or misconfigured headers are one of the most common findings in security audits — and they're also among the easiest to fix. A few lines in your server config can close vulnerabilities that would otherwise require complex application-level code to address. The OWASP Top 10 and most security compliance frameworks (SOC 2, PCI DSS) explicitly require these headers.

Common misconfigurations that this HTTP header analyzer catches include: missing Strict-Transport-Security (HSTS) that leaves users vulnerable to SSL stripping attacks; no Content-Security-Policy or a policy with unsafe-inline that defeats XSS protection; absent X-Content-Type-Options: nosniff that allows MIME-type confusion attacks; and overly permissive CORS with Access-Control-Allow-Origin: * combined with credentials. Each of these has been exploited in real attacks against production sites.

To run an http headers test from the command line, use: curl -I https://example.com for a HEAD request (headers only), or curl -D - -o /dev/null https://example.com to capture headers from a GET request. You can also grab headers from your browser's DevTools Network tab — right-click any request, select "Copy response headers," and paste here. The tool strips the HTTP status line automatically.

Each security header protects against a specific class of attack. Strict-Transport-Security (HSTS) prevents protocol downgrade attacks and cookie hijacking. Content-Security-Policy (CSP) blocks cross-site scripting by whitelisting trusted content sources. X-Content-Type-Options prevents browsers from interpreting files as a different MIME type. X-Frame-Options (or the frame-ancestors CSP directive) blocks clickjacking. Referrer-Policy controls what URL information leaks in the Referer header. Permissions-Policy restricts access to browser APIs like camera, microphone, and geolocation.

Tips

  • Get headers from any URL with: curl -I https://example.com — then paste the output directly into this tool.
  • Strict-Transport-Security with max-age=31536000; includeSubDomains; preload is the gold standard for HSTS. Shorter max-age values weaken the protection.
  • A Content-Security-Policy with unsafe-inline or unsafe-eval significantly weakens XSS protection. Consider using nonces or hashes instead.
  • Access-Control-Allow-Origin: * is fine for public APIs, but never combine it with Access-Control-Allow-Credentials: true — browsers will reject the request.