Paste HTTP headers to analyze
Copy headers from your browser DevTools → Network tab
About
The HTTP Header Analyzer parses raw HTTP response headers you paste in, categorizes every header by type (security, CORS, caching, authentication, content, other), and evaluates the security posture of your server configuration. Each header entry is expandable to show what the header does and whether its current value represents a good practice, a warning, or a potential misconfiguration. The Security Score (0–100) summarizes the overall posture: it deducts points for missing best-practice security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP) and for headers with problematic values. A "Missing security headers" panel shows exactly which important headers are absent. All analysis runs entirely in your browser — the headers you paste are never sent to any server.
How to use
- 1 Copy HTTP response headers from your browser DevTools (Network tab → select a request → Response Headers) or from curl output.
- 2 Paste the headers into the left panel — the analysis updates immediately.
- 3 Click "Load example" to see a sample analysis of a well-configured server.
- 4 Review the Security Score and the missing headers list to identify gaps.
- 5 Click on any individual header row to expand it and read the description, expected values, and any risk note.
- 6 Use the category labels (Security, CORS, Caching, Auth, Content) to focus on a specific area.
- How do I get the response headers for my website?
- Open your browser DevTools (F12 or Cmd+Option+I), go to the Network tab, navigate to your website, select the main HTML request, and copy the "Response Headers" section. You can also use curl: run `curl -I https://yourdomain.com` in a terminal to get only the response headers.
- What is the Security Score based on?
- The score starts at 100 and deducts points for missing best-practice security headers (10 points each) and for headers with poor values — for example, an HSTS max-age under one year (-5), a CSP with unsafe-inline/unsafe-eval (-5), or a server header leaking version details (-5). A score of 80+ is good; 60–79 needs improvement; below 60 has significant gaps.
- What does "unsafe-inline" in a Content-Security-Policy mean?
- unsafe-inline allows inline JavaScript and inline CSS to execute without restriction, which defeats XSS protection for those content types. Modern CSP best practice avoids unsafe-inline by using nonces or hashes for legitimate inline content instead.
- Why is HSTS max-age important?
- HSTS (HTTP Strict Transport Security) tells browsers to only connect via HTTPS for the duration specified by max-age (in seconds). A max-age of at least 31,536,000 (one year) is required for HSTS preload lists, which prevent first-visit downgrade attacks. Shorter values mean the browser could be downgraded to HTTP after the period expires.
- Is my data sent to any server?
- No. The entire analysis runs in JavaScript in your browser. The headers you paste are never transmitted anywhere — this makes it safe to paste headers from internal APIs, staging environments, or any server you would not expose publicly.