HTTP Header Analyzer

Analyze HTTP response headers — inspect security headers, caching directives, CORS policy, and server configuration.

Browser CORS may block requests to some URLs. Works best with public APIs that allow cross-origin requests. For full header analysis of any site, use curl -I https://example.com from the command line.

About HTTP Header Analysis

HTTP response headers contain critical information about security configuration, caching behaviour, content type, CORS policy, and server technology. Analysing headers helps identify missing security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options), understand caching strategy, debug CORS issues, and audit what server information is exposed to the public.

The most important security headers are: Strict-Transport-Security (forces HTTPS), Content-Security-Policy (prevents XSS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), and Referrer-Policy (controls referrer leakage). This tool checks for all of them and flags any that are missing.

FAQ

What are the most important security headers?
Strict-Transport-Security (HSTS) forces HTTPS connections. Content-Security-Policy prevents XSS and data injection. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME type sniffing. Referrer-Policy controls how much referrer info is shared. These 5 headers address most common web security vulnerabilities.
How do I add security headers to my site?
In Nginx: add_header X-Frame-Options "SAMEORIGIN"; In Apache: Header always set X-Frame-Options "SAMEORIGIN". For Next.js, Cloudflare, Vercel and other platforms, check their security headers documentation. Use securityheaders.com for a full graded report.

Related Tools

API Request TesterAPI ToolscURL GeneratorAPI ToolsHTTP Response DebuggerAPI ToolsWebsite Header CheckerAPI ToolsSSL Certificate CheckerAPI Tools