Back

HTTP Headers Analyzer

HTTP headers carry metadata about requests and responses. This tool parses complete HTTP messages including the request/status line, headers, and body content. It analyzes security headers (HSTS, CSP), authentication (Basic, Bearer), cookies, CORS configuration, and caching directives. Body content is automatically formatted and syntax highlighted based on Content-Type (JSON, HTML, XML).

Specifications

Common Use Cases

  • Debug API requests copied from browser DevTools Network tab
  • Analyze curl -i or curl -v output with headers and body
  • Audit security headers for compliance (OWASP recommendations)
  • Troubleshoot CORS preflight and cross-origin issues
  • Inspect authentication headers and cookie configuration
  • Verify caching behavior for CDN and browser caching

Features

  • Parse full HTTP requests (GET /path HTTP/1.1)
  • Parse HTTP responses with status codes and reason phrases
  • Format and syntax highlight body content (JSON, HTML, XML, CSS)
  • Decode Authorization headers (Basic auth credentials, Bearer tokens)
  • Analyze security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
  • Parse Set-Cookie attributes (Secure, HttpOnly, SameSite, expiration)
  • Cookie extraction and listing from headers
  • Display CORS headers (Access-Control-Allow-Origin, etc.)
  • Explain Cache-Control directives (max-age, no-cache, private)

Examples

API Response with JSON Body

Try it →

A complete HTTP response with headers and JSON body, as you might copy from curl -i output.

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=3600, public
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains

{
  "status": "success",
  "data": {
    "id": 12345,
    "name": "Example User"
  }
}

HTTP Request with Authentication

Try it →

A request with Bearer token authentication and cookies.

GET /api/users HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Accept: application/json
Cookie: session=abc123; theme=dark

Tips

  • Use "curl -i URL" to include response headers in the output.
  • In browser DevTools, right-click a request and "Copy as cURL" to get the full request.
  • HSTS (Strict-Transport-Security) tells browsers to only use HTTPS for the domain.
  • CSP (Content-Security-Policy) controls which resources the page can load.
  • The SameSite cookie attribute helps prevent CSRF attacks.

Understanding HTTP Headers

HTTP headers are key-value pairs sent between client and server as part of every HTTP request and response. They carry metadata about the message: content type, caching directives, authentication credentials, and security policies. Headers appear after the request or status line and before the optional body, separated from the body by a blank line.

Request headers provide context about the client and desired response. Host identifies the target server. Accept and Content-Type negotiate the media format. Authorization carries credentials (Basic, Bearer, API keys). Cookie sends stored session data. User-Agent identifies the client software.

Response headers control how the client handles content. Cache-Control and ETag govern caching behavior. Set-Cookie establishes client-side state. Content-Security-Policy restricts resource loading to mitigate XSS. Strict-Transport-Security forces HTTPS. CORS headers (Access-Control-Allow-Origin and related) control cross-origin resource sharing, one of the most commonly misconfigured aspects of web APIs.

Understanding headers is essential for debugging web applications. When an API returns unexpected results, headers often reveal the cause: a missing Content-Type, an expired authentication token, a caching directive serving stale data, or a CORS policy blocking the request.

The Cache-Control directive is one of the most misunderstood headers. The no-cache directive does not mean "don't cache" — it means the cache must revalidate with the origin server before using a stored response. The response can still be cached. The no-store directive is what actually prevents caching entirely, and it should be used for sensitive data. For frequently changing content that benefits from conditional requests, no-cache combined with ETag or Last-Modified is the appropriate strategy.

CORS errors occur when a browser request to a different origin is missing the Access-Control-Allow-Origin response header. The server must include this header with either the requesting origin or * for public APIs. When credentials (cookies or Authorization headers) are involved, the wildcard is not allowed — the header must specify the exact origin. Preflight OPTIONS requests additionally require Access-Control-Allow-Methods and Access-Control-Allow-Headers. Bearer token authentication uses the format Authorization: Bearer <token>, where the token is typically a JWT or opaque access token from an OAuth 2.0 flow. Unlike cookies, Bearer tokens are not sent automatically — the client must explicitly attach the header to each request.

Every website should set a minimum set of security headers. Strict-Transport-Security (HSTS) ensures HTTPS is always used. Content-Security-Policy mitigates XSS by restricting resource loading. X-Content-Type-Options: nosniff prevents MIME type sniffing. X-Frame-Options protects against clickjacking, and Referrer-Policy controls what information is sent in the Referer header. APIs should additionally configure appropriate CORS headers to control which origins can make requests.

← Back to all tools