Features
Parse HTTP headers
Security header analysis
Caching header check
CORS configuration review
Content-Type validation
Security recommendations
Header format validation
100% client-side
No server communication
Instant analysis
What are HTTP Headers?
HTTP headers are key-value pairs sent between clients and servers in HTTP requests and responses. Headers provide metadata about the request or response, including content type, caching directives, security policies, authentication credentials, and more. Understanding and properly configuring HTTP headers is crucial for web security, performance, and functionality.
Request headers are sent by the client (browser) to the server, containing information like accepted content types, cookies, and user agent. Response headers are sent by the server back to the client, including content type, caching rules, security policies, and server information.
Common HTTP Headers
- Content-Type: Specifies the media type of the resource
- Cache-Control: Directives for caching mechanisms
- Authorization: Credentials for HTTP authentication
- Cookie: Stored HTTP cookies
- User-Agent: Client application information
- Accept: Media types the client can process
- Content-Length: Size of the response body
- Location: URL for redirects
Security Headers
Essential Security Headers
Security headers protect against common web vulnerabilities like XSS, clickjacking, and man-in-the-middle attacks. Implementing proper security headers is a critical part of web application security.
Recommended Security Headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()
Header Descriptions
- Strict-Transport-Security (HSTS): Forces HTTPS connections
- X-Frame-Options: Prevents clickjacking attacks
- X-Content-Type-Options: Prevents MIME type sniffing
- Content-Security-Policy (CSP): Controls resource loading
- X-XSS-Protection: Enables browser XSS filtering
- Referrer-Policy: Controls referrer information
- Permissions-Policy: Controls browser features
Common Use Cases
1. Security Audit
Analyze response headers from your website to identify missing security headers. Check for HSTS, CSP, X-Frame-Options, and other security headers. Implement missing headers to improve security posture.
2. Caching Configuration
Review Cache-Control, Expires, and ETag headers to optimize caching strategy. Proper caching reduces server load and improves page load times for returning visitors.
3. CORS Troubleshooting
Analyze Access-Control-* headers when debugging cross-origin requests. Verify that CORS headers are correctly configured to allow legitimate cross-origin requests while blocking unauthorized access.
4. API Response Analysis
Examine API response headers to understand rate limiting, authentication requirements, and content negotiation. Headers like X-RateLimit-Remaining and X-Request-ID provide valuable debugging information.
5. Performance Optimization
Check compression headers (Content-Encoding), transfer encoding, and content length to optimize data transfer. Analyze timing headers to identify performance bottlenecks.
Header Examples
Example 1: Secure Website Headers
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
Cache-Control: public, max-age=3600
Example 2: API Response Headers
HTTP/1.1 200 OK
Content-Type: application/json
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Example 3: Caching Headers
HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000, immutable
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Last-Modified: Wed, 21 Oct 2025 07:28:00 GMT
Expires: Thu, 31 Dec 2026 23:59:59 GMT
Example 4: Redirect Headers
HTTP/1.1 301 Moved Permanently
Location: https://www.example.com/new-page
Cache-Control: max-age=3600
Example 5: Authentication Headers
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example"
WWW-Authenticate: Basic realm="example"
Frequently Asked Questions
How do I view HTTP headers in my browser?
Open browser DevTools (F12), go to the Network tab, click on any request, and view the Headers section. You'll see both request and response headers.
What security headers should every website have?
At minimum: Strict-Transport-Security (for HTTPS sites), X-Frame-Options, X-Content-Type-Options, and Content-Security-Policy. These protect against common attacks like clickjacking and XSS.
Can HTTP headers affect SEO?
Yes, headers like Cache-Control, Last-Modified, and canonical links affect how search engines crawl and index your site. Proper caching headers improve crawl efficiency.
What is CORS and why does it matter?
CORS (Cross-Origin Resource Sharing) controls which domains can access your resources. Access-Control-Allow-Origin and related headers configure CORS policies to allow or block cross-origin requests.
How do I set HTTP headers?
Headers are set in your web server configuration (nginx, Apache) or application code. For static files, configure the web server. For dynamic content, set headers in your application framework.
What is the difference between Cache-Control and Expires?
Cache-Control is the modern HTTP/1.1 header with more options. Expires is the older HTTP/1.0 header using absolute dates. Use Cache-Control for new applications; Expires is for backward compatibility.
Should I hide the Server header?
Hiding or modifying the Server header provides minimal security benefit but reduces information disclosure. It's good practice but not a substitute for proper security measures.
What is Content-Security-Policy?
CSP is a security header that controls which resources (scripts, styles, images) can load on your page. It's one of the most effective defenses against XSS attacks.
How do I test my website's headers?
Use browser DevTools, command-line tools like curl, or online header checkers. This tool analyzes headers you paste in. For live testing, use: curl -I https://yoursite.com
Can headers be modified by proxies?
Yes, proxies and CDNs can add, modify, or remove headers. This is normal and often beneficial (adding caching headers, security headers). Check your CDN configuration if headers aren't as expected.
Related Tools
Explore our other web development tools: