HTTP Header Analyzer

Paste HTTP Response Headers

Security Grade

Security Header Analysis

Header	Status	Value / Notes

All Parsed Headers

Name	Value

How to Use

Open your browser DevTools (F12) → Network tab, reload the page, and click the main HTML request.
Find the Response Headers section and copy all the header lines to your clipboard.
Paste them into the textarea above and click Analyze.
Review your Security Grade and the color-coded security header checklist.
Fix any red (missing) or orange (misconfigured) headers in your server, CDN, or framework settings.

About This Tool

HTTP response headers instruct browsers how to handle your page — including caching, content types, and critically, security policies. Headers like Strict-Transport-Security force HTTPS connections, Content-Security-Policy restricts which scripts can execute (blocking XSS), X-Frame-Options prevents clickjacking, and X-Content-Type-Options stops MIME sniffing attacks. This tool parses any raw HTTP header block you paste and gives you an instant security analysis with explanations — entirely in your browser, with no data sent to any server.

Frequently Asked Questions

How do I copy my HTTP response headers?

Open DevTools with F12, go to the Network tab, reload the page, click the main document request, then scroll to the Response Headers section. In Chrome you can right-click the request and choose "Copy → Copy response headers". Alternatively, use curl -I https://yoursite.com in a terminal.

What is the most important security header to add?

Content-Security-Policy (CSP) is the most powerful, as it can prevent XSS attacks by controlling which scripts and resources browsers may load. Strict-Transport-Security (HSTS) is equally critical for any site served over HTTPS — without it, browsers may silently accept HTTP downgrade attacks.

Why is `X-XSS-Protection` shown as a warning even when present?

The X-XSS-Protection header activated an old browser XSS filter that has been removed from modern Chrome, Edge, and Firefox. It is no longer effective and has even been shown to introduce new vulnerabilities. It is listed here for completeness, but a proper Content-Security-Policy is the correct modern replacement.