How do I get the HTTP response headers?

In browser DevTools, open the Network tab, click a request, and scroll to Response Headers. Or use curl -I https://example.com in a terminal. Copy all lines including the HTTP/1.1 status line.

What is the most important security header to check?

Content-Security-Policy (CSP) is the most impactful. A well-configured CSP prevents XSS attacks by controlling which scripts, styles, and resources the browser can load. Strict-Transport-Security (HSTS) is equally important for HTTPS enforcement.

Why is my Content-Security-Policy flagged as weak?

Common causes: 'unsafe-inline' allows injected scripts to execute; 'unsafe-eval' allows eval() and Function() calls; wildcard sources (*) allow loading from any domain. Remove these directives and use nonces or hashes for inline scripts instead.

HTTP Header Analyzer — Check Security & Caching Headers

You copy the response headers from a browser DevTools network tab or a curl -I command and want a quick assessment of the security posture, caching configuration, and CORS settings — without manually looking up every header. Paste them here and get an instant analysis.

Security Headers Analyzed

Content-Security-Policy (CSP)

Controls which resources the browser is allowed to load. A missing or overly permissive CSP is one of the most common web security vulnerabilities. This tool parses the directives and flags dangerous values like unsafe-inline, unsafe-eval, and wildcard sources.

Strict-Transport-Security (HSTS)

Forces HTTPS connections. The tool checks max-age, includeSubDomains, and preload directive presence. A max-age below 1 year (31536000 seconds) is flagged as weak.

X-Frame-Options

Prevents clickjacking by controlling whether the page can be embedded in a frame. DENY or SAMEORIGIN are acceptable; a missing header is a warning.

X-Content-Type-Options

Should be nosniff to prevent MIME-type sniffing attacks. Any other value or absence is flagged.

Referrer-Policy

Controls how much referrer information is included with requests. strict-origin-when-cross-origin or stricter is recommended.

Permissions-Policy

Controls access to browser features (camera, geolocation, etc.). Optional but good practice to include.

Caching Headers Analyzed

Cache-Control: Parsed into individual directives — max-age, s-maxage, no-cache, no-store, must-revalidate, stale-while-revalidate
ETag: Presence check and weak/strong classification
Last-Modified: Presence check for conditional request support
Expires: Deprecated but still present in some responses — flags if used without Cache-Control

How to Get Response Headers

Browser DevTools

Open DevTools → Network tab
Click any request
Scroll to “Response Headers” section
Copy all headers

cURL

curl -I https://example.com
# Or with all headers including response body headers:
curl -D - https://example.com -o /dev/null

HTTPie

http --headers GET https://example.com

Node.js / fetch

const res = await fetch('https://example.com');
res.headers.forEach((value, name) => console.log(`${name}: ${value}`));

Frequently Asked Questions

Does this tool make any network requests? No. This tool only analyzes headers you paste into it. It does not fetch any URLs or make any network connections.

What header format is expected? Standard HTTP response header format: one header per line, Name: Value. HTTP/1.1 status lines (HTTP/1.1 200 OK) are ignored automatically.

Why is my CSP flagged even though it looks restrictive? Common false-positive causes: 'unsafe-hashes' is present, or a source list includes http: or https: wildcards that allow loading from any domain over that scheme.

What does a missing security header mean? Missing headers are flagged as warnings rather than errors. The severity depends on the header — a missing X-Content-Type-Options is low risk on most sites; a missing CSP is more significant for sites handling user input.

HTTP Header Analyzer