HTTP Header Analyzer
Paste raw HTTP response headers to see them parsed, explained, and checked for important security headers.
Runs entirely in your browser.
HTTP Response Header Analyzer
Status line: HTTP/2 200
| Header | Value | Description |
|---|---|---|
| content-type | text/html; charset=UTF-8 | Indicates the media type (MIME type) of the returned content, e.g. text/html or application/json. |
| cache-control | max-age=3600, public | Defines caching rules for browsers and proxies, such as max-age, public, private, or no-store. |
| strict-transport-security | max-age=31536000; includeSubDomains | HSTS. Forces browsers to use HTTPS for future requests, preventing protocol downgrade attacks. |
| x-content-type-options | nosniff | When set to "nosniff", prevents the browser from MIME-sniffing the response away from the declared type. |
| x-frame-options | SAMEORIGIN | Controls whether the page may be embedded in a frame, protecting against clickjacking. |
| content-security-policy | default-src 'self' | CSP. Restricts which sources of scripts, styles, and other resources may load, mitigating XSS. |
| server | nginx | Identifies the web server software. Revealing it can aid attackers, so it is often hidden. |
Security Headers Summary
| Header | Status | Purpose |
|---|---|---|
| strict-transport-security | Present | Enforces HTTPS and prevents downgrade attacks. |
| content-security-policy | Present | Mitigates cross-site scripting (XSS) and data injection. |
| x-frame-options | Present | Protects against clickjacking by controlling framing. |
| x-content-type-options | Present | Stops MIME-type sniffing (use "nosniff"). |
| referrer-policy | Missing | Limits referrer information leakage. |
| permissions-policy | Missing | Restricts access to powerful browser features. |
| cross-origin-opener-policy | Missing | Isolates the browsing context. |
| cross-origin-resource-policy | Missing | Controls cross-origin resource embedding. |
4 of 8 recommended security headers present. Consider adding the missing headers above.
About HTTP Headers
HTTP headers are key/value pairs sent with every HTTP request and response. Response headers tell the browser how to handle the returned content: how long to cache it, what content type it is, which security policies to enforce, and more.
Security-related headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options help protect users against common attacks like cross-site scripting, clickjacking, and protocol downgrade attacks. This analyzer parses the headers you paste, explains the well-known ones, and reports which recommended security headers are present or missing. Learn more in our HTTP Tutorial.
