Last updated
Parsing a Typical HTTP Response
The HTTP Header Parser takes raw HTTP headers and presents them in a structured, readable format with explanations. Here is a typical response header set parsed:
/* Raw HTTP response headers (input) */
HTTP/2 200 OK
content-type: text/html; charset=utf-8
content-length: 48291
cache-control: public, max-age=3600, must-revalidate
etag: "a1b2c3d4e5f6"
last-modified: Mon, 15 Jan 2024 10:30:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: DENY
x-content-type-options: nosniff
content-security-policy: default-src 'self'; script-src 'self' https://cdn.example.com
referrer-policy: strict-origin-when-cross-origin
vary: Accept-Encoding
content-encoding: gzip
server: nginx/1.24.0
date: Tue, 16 Jan 2024 08:45:22 GMT
/* Parsed output */
Status: 200 OK
content-type: text/html; charset=utf-8
→ Tells the browser this is HTML content encoded in UTF-8
content-length: 48291
→ Response body is 48,291 bytes (47.2 KB) before decompression
cache-control: public, max-age=3600, must-revalidate
→ Cache for 1 hour; revalidate with server when stale
etag: "a1b2c3d4e5f6"
→ Fingerprint for conditional requests (If-None-Match)
strict-transport-security: max-age=31536000; includeSubDomains
→ Enforce HTTPS for 1 year on this domain and all subdomains
x-frame-options: DENY
→ Page cannot be embedded in any iframe (prevents clickjacking)
content-encoding: gzip
→ Response body is gzip-compressedAnalyzing Security Headers
The parser evaluates security headers and explains their implications:
/* Security headers analysis */
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src *; frame-ancestors 'none'
/* Parsed directives */
default-src 'self'
→ All resource types default to same-origin only
script-src 'self' https://cdn.example.com
→ Scripts allowed from: this origin + cdn.example.com
→ ⚠ No 'unsafe-eval' — eval() and Function() are blocked
style-src 'self' 'unsafe-inline'
→ ⚠ 'unsafe-inline' allows inline styles — consider using nonces
img-src *
→ Images allowed from any origin (including HTTP)
→ ⚠ Consider restricting to https: for security
frame-ancestors 'none'
→ Page cannot be embedded in any frame (replaces X-Frame-Options)
→ ✓ Prevents clickjacking attacks
/* Missing security headers — flagged by parser */
⚠ Missing: Permissions-Policy
⚠ Missing: Cross-Origin-Opener-Policy
⚠ Missing: Cross-Origin-Resource-PolicyParsing Cache Headers
Cache headers interact in complex ways. The parser explains the combined caching behavior:
/* Cache headers from a static asset response */
Cache-Control: public, max-age=31536000, immutable
ETag: "v2.1.0-abc123"
Last-Modified: Fri, 01 Dec 2023 00:00:00 GMT
Vary: Accept-Encoding
/* Parser explanation */
Cache-Control: public, max-age=31536000, immutable
public → Can be cached by browsers AND CDNs/proxies
max-age=31536000 → Cache for 365 days (1 year)
immutable → Browser will NOT revalidate during max-age period
→ Combined: Aggressively cached for 1 year, no revalidation
ETag: "v2.1.0-abc123"
→ Fingerprint for conditional requests
→ Client sends: If-None-Match: "v2.1.0-abc123"
→ Server returns 304 Not Modified if unchanged
Vary: Accept-Encoding
→ Cache stores separate versions per Accept-Encoding value
→ gzip and brotli versions cached separately
/* Cache headers from an API response */
Cache-Control: no-store
no-store → Never cache this response anywhere
→ Use for: sensitive data, authentication responses, personalized contentParsing CORS Headers
CORS headers control cross-origin access. The parser explains what each directive allows:
/* CORS response headers */
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization, X-Request-ID
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 3600
Access-Control-Expose-Headers: X-Total-Count, X-Page-Number
/* Parser explanation */
Access-Control-Allow-Origin: https://app.example.com
→ Only https://app.example.com can make cross-origin requests
→ ✓ Specific origin (not wildcard) — required when credentials are used
Access-Control-Allow-Credentials: true
→ Cookies and auth headers are included in cross-origin requests
→ ⚠ Requires specific origin (not *) in Allow-Origin
Access-Control-Max-Age: 3600
→ Preflight response cached for 1 hour
→ Browser won't send OPTIONS preflight for 1 hour
Access-Control-Expose-Headers: X-Total-Count, X-Page-Number
→ These custom headers are accessible to JavaScript
→ Without this, custom headers are hidden from browser scriptsIdentifying Deprecated and Non-Standard Headers
The parser flags deprecated headers and explains modern replacements:
/* Headers with issues */
X-XSS-Protection: 1; mode=block
→ ⚠ Deprecated — modern browsers ignore this header
→ Use Content-Security-Policy instead
Pragma: no-cache
→ ⚠ HTTP/1.0 header — use Cache-Control: no-cache instead
→ Still sent by some legacy systems for compatibility
Expires: 0
→ ⚠ Old-style cache expiry — use Cache-Control instead
→ Expires: 0 means "already expired" (no caching)
X-Powered-By: PHP/8.1.0
→ ⚠ Reveals server technology — security risk
→ Remove this header to reduce information disclosure
P3P: CP="This is not a P3P policy"
→ ⚠ Obsolete privacy header — no longer supported by browsers
/* Non-standard but common headers */
X-Request-ID: 550e8400-e29b-41d4-a716-446655440000
→ Custom header for request tracing (not in HTTP spec)
→ Used by many APIs for debugging and log correlation
CF-Ray: 7a1b2c3d4e5f6789-IAD
→ Cloudflare-specific header for request identification