HTTP Header Analyzer
Fetch and analyze HTTP response headers for any URL. Check security headers, caching, CORS, and more.
About This Tool
The HTTP Header Analyzer lets you inspect the response headers returned by any web server. Simply enter a URL, and the tool fetches the page through a lightweight server-side proxy, capturing every header along the way — including the full redirect chain, response time, and protocol information.
HTTP headers are the invisible metadata that accompanies every web request and response. They control how browsers cache content, whether cross-origin requests are allowed, which security policies are enforced, and much more. Misconfigured headers can lead to security vulnerabilities, poor performance, and broken cross-origin integrations. This tool surfaces all of that information in one organized dashboard.
The security analysis module checks for seven critical headers
including Strict-Transport-Security,
Content-Security-Policy,
X-Frame-Options, and
X-Content-Type-Options. Each header is graded
individually, and an overall security score from A to F is
calculated to give you a quick assessment of your site's
header-level security posture.
Beyond security, the tool breaks down caching directives from
the Cache-Control header, inspects CORS
configuration, and identifies the server software behind the
response. Whether you are debugging a deployment, auditing a
third-party API, or hardening your own site's security
headers, this tool gives you immediate, actionable insight. It
pairs well with the
<a
href={getLocalePath(locale, "/tools/curl-to-code")}
className="text-primary hover:underline"
Curl to Code Converter and the <a href={getLocalePath(locale, "/tools/http-status-codes")} className="text-primary hover:underline"
HTTP Status Codes reference.
How to Use
- Enter the URL you want to analyze into the input field. The
https://prefix is added automatically if missing. - Click Fetch Headers or press Ctrl+Enter to send the request.
- Review the status code, response time, and protocol at the top of the results.
- If redirects occurred, inspect the Redirect Chain section to see each hop and its status code.
- Check the Security Headers table for your overall grade and header-by-header breakdown.
- Review Caching and CORS sections to understand cache behavior and cross-origin access policies.
- Use the All Response Headers table to search, filter, and copy any header value. Click Copy All or Copy curl -I to export the results.
FAQ
What are HTTP response headers?
HTTP response headers are key-value pairs sent by a web server along with the response body. They contain metadata about the response such as content type, caching rules, security policies, and server information. Browsers use these headers to determine how to handle and display the response.
What does the security grade mean?
The security grade (A through F) is calculated based on the presence and correct configuration of seven important security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection (deprecated), Referrer-Policy, and Permissions-Policy. An A grade means most headers are properly configured, while an F indicates several are missing.
Why is Strict-Transport-Security (HSTS) important?
HSTS tells browsers to always connect to your site via HTTPS, even if the user types http:// in the address bar. Without HSTS, an attacker could intercept the initial HTTP request in a man-in-the-middle attack before the redirect to HTTPS occurs. A max-age of at least one year (31536000 seconds) is recommended.
What is Content-Security-Policy (CSP)?
CSP is a security header that tells the browser which sources of content (scripts, styles, images, etc.) are allowed to load on a page. It is the most effective defense against cross-site scripting (XSS) attacks because it blocks unauthorized inline scripts and third-party resources. Configuring CSP can be complex, but even a basic policy provides significant protection.
How does the caching analysis work?
The tool parses the Cache-Control header and extracts directives like max-age, no-cache, no-store, public, and private. It also checks for Expires, ETag, and Last-Modified headers to determine whether conditional requests are supported. The assessment tells you how long content is cached and under what conditions.
Does this tool send my URL to a server?
Yes. Because browsers block cross-origin header inspection due to CORS restrictions, the URL is fetched through a lightweight server-side proxy on the same domain. Only the response headers are captured and returned -- no page content is stored, logged, or shared with third parties.
Can I test pages behind authentication?
No. The server-side proxy fetches the URL as an anonymous client without cookies or authentication tokens. If the page requires login, you will receive the headers of the login page or an authentication error. To test authenticated endpoints, use a tool like curl directly from your terminal with the appropriate credentials.
Related Tools
Open Graph Preview
Preview how your URL appears on social media. Fetch and display Open Graph and Twitter Card meta tags.
Markdown Link Checker
Extract and validate all links in Markdown text. Check for broken URLs, missing anchors, and redirects.
HTTP Status Codes
Browse, search, and learn about all HTTP status codes with detailed explanations.
Curl to Code Converter
Convert curl commands to Python, JavaScript fetch, PHP, Go, and more programming languages.
CSP Header Generator
Build Content Security Policy headers visually with directive presets and real-time policy output.
Content-Type Header Builder
Build Content-Type headers with the correct MIME type, charset, and boundary parameters. Copy as header or curl flag.
HTTP Method Reference
Interactive HTTP method reference with detailed specs for GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, and more.
Rate Limit Calculator
Convert between API rate limit units. Calculate requests per second, minute, hour, and day with burst capacity planning.
OAuth 2.0 Flow Visualizer
Visualize OAuth 2.0 authorization flows with step-by-step diagrams. Covers Authorization Code, PKCE, Client Credentials, and more.
CORS Header Builder
Build CORS headers visually. Configure allowed origins, methods, headers, and credentials with live header output.
Cache-Control Builder
Build Cache-Control headers visually with toggle switches for every directive, duration presets, and server config snippets.
User-Agent Parser
Parse and analyze any User-Agent string to identify browser, OS, device type, rendering engine, and detect bots/crawlers.