HTTP Header Parser - Analyze & Inspect HTTP Headers Online
Free online HTTP header parser tool. Parse raw HTTP headers, inspect key-value pairs, and check security headers like CSP, HSTS, X-Frame-Options, and more.
Parsed Headers (12)
| Header | Value | Note |
|---|---|---|
| Content-Type | application/json; charset=utf-8 | Indicates the media type of the resource (e.g., JSON, HTML). |
| Cache-Control | public, max-age=3600, s-maxage=7200 | Directives for caching mechanisms in requests and responses. |
| X-Frame-Options | DENY | Security: Prevents clickjacking by controlling iframe embedding. |
| Content-Security-Policy | default-src 'self'; script-src 'self' 'unsafe-inline' | Security: Controls which resources the browser is allowed to load. |
| Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | Security: Forces HTTPS connections for the specified duration. |
| X-Content-Type-Options | nosniff | Security: Prevents MIME-type sniffing attacks. |
| X-XSS-Protection | 1; mode=block | Security: Legacy XSS filter for older browsers. |
| Referrer-Policy | strict-origin-when-cross-origin | Security: Controls how much referrer info is sent with requests. |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | Security: Controls which browser features the page can use. |
| Server | nginx/1.24.0 | Identifies the server software. Consider hiding for security. |
| Date | Sat, 29 Mar 2026 12:00:00 GMT | The date and time at which the response was generated. |
| ETag | "abc123" | Identifier for a specific version of a resource for caching. |
Security Headers Check
7/7 present✓
X-Frame-OptionsDENY
✓
Content-Security-Policydefault-src 'self'; script-src 'self' 'unsafe-inline'
✓
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preload
✓
X-Content-Type-Optionsnosniff
✓
X-XSS-Protection1; mode=block
✓
Referrer-Policystrict-origin-when-cross-origin
✓
Permissions-Policycamera=(), microphone=(), geolocation=()
What Is an HTTP Header Parser?
An HTTP Header Parser is a tool that takes raw HTTP response or request headers and breaks them down into structured key-value pairs for easy analysis. HTTP headers carry metadata about the request or response — including content type, caching directives, authentication tokens, security policies, and server information. This tool parses each header line, displays the name and value, provides a brief explanation of common headers, and performs a security audit by checking for the presence of critical security headers such as Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and others recommended by OWASP.
How to Use the HTTP Header Parser
- Paste raw HTTP headers into the text area, one header per line in 'Header-Name: value' format. A sample set of common headers is provided by default.
- The tool instantly parses the headers and displays them in a structured table with the header name, value, and a brief explanation.
- Scroll down to the Security Headers Check section to see which recommended security headers are present (green check) or missing (red X).
- The security score badge shows how many of the 7 recommended security headers are present in your response.
- Use this tool to audit HTTP responses from your server, API, or CDN before deploying to production.
Common Use Cases
- Security Audit — Check whether your server sends all recommended security headers (CSP, HSTS, X-Frame-Options, etc.) to protect against common web vulnerabilities like clickjacking, XSS, and MIME sniffing.
- Cache Debugging — Analyze Cache-Control, ETag, Expires, and Vary headers to understand how your responses are cached by browsers and CDNs, and troubleshoot stale content issues.
- API Response Inspection — Inspect headers returned by REST or GraphQL APIs to verify content types, CORS configuration, rate limiting headers, and authentication-related headers.
- CORS Troubleshooting — Quickly identify CORS-related headers in a response to debug cross-origin request issues without switching to browser DevTools.
FAQ
What format should the headers be in?
Paste headers in the standard 'Header-Name: value' format, one per line. You can copy headers directly from browser DevTools (Network tab → select a request → copy response headers) or from curl output.
Which security headers are checked?
The tool checks for 7 recommended security headers: X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy. These are commonly recommended by OWASP and security best practices.
Does this tool make HTTP requests?
No. This tool only parses headers that you paste into the text area. It does not make any HTTP requests or fetch headers from remote servers. All processing happens locally in your browser.
Can I parse request headers too?
Yes. The parser works with any headers in 'Name: value' format, whether they are request headers (like Accept, Authorization, User-Agent) or response headers (like Content-Type, Set-Cookie, Cache-Control).
What does the security score mean?
The security score shows how many of the 7 recommended security headers are present in your pasted headers. A score of 7/7 means all recommended security headers are present. Missing headers are highlighted with suggestions for what they protect against.