What are HTTP headers?

HTTP headers are key-value pairs sent between client and server in HTTP requests and responses. They carry metadata about the request/response: content type, caching rules, authentication, cookies, CORS permissions, and security policies. Headers appear before the body, separated by a blank line. Format: Header-Name: value.

What are the most important security headers?

Key security headers: Strict-Transport-Security (HSTS, forces HTTPS), Content-Security-Policy (CSP, controls resource loading), X-Content-Type-Options: nosniff (prevents MIME sniffing), X-Frame-Options: DENY (blocks iframe embedding), Referrer-Policy (controls referrer info). Missing security headers is a common vulnerability.

How do CORS headers work?

CORS (Cross-Origin Resource Sharing) headers control which origins can access a resource. Access-Control-Allow-Origin specifies allowed origins (* for all). Access-Control-Allow-Methods lists allowed HTTP methods. Access-Control-Allow-Headers specifies allowed request headers. Browsers enforce CORS — servers set the headers.

What is the Cache-Control header?

Cache-Control directs how browsers and CDNs cache responses. Common values: max-age=3600 (cache for 1 hour), no-cache (revalidate before using cache), no-store (never cache), public (CDN can cache), private (only browser can cache), immutable (never changes). Proper caching significantly improves page load speed.

How do I view HTTP headers in a browser?

Open browser DevTools (F12 or Cmd+Option+I), go to the Network tab, click any request, and select the Headers panel. You will see Request Headers (sent by browser) and Response Headers (sent by server). In curl, use curl -I URL for response headers only, or curl -v URL for full request and response headers.

What is the difference between request and response headers?

Request headers are sent from client to server: Host, User-Agent, Accept, Authorization, Cookie. Response headers are sent from server to client: Content-Type, Set-Cookie, Cache-Control, Server, Location (for redirects). Some headers like Content-Type appear in both directions.

Back

HTTP Header Parser & Analyzer

HTTP headers are key-value pairs in requests and responses carrying metadata. Content-Type specifies the body format (application/json, text/html). Cache-Control sets caching rules (max-age, no-store). Security headers include HSTS (force HTTPS), CSP (restrict resources), X-Frame-Options (block iframes). CORS headers (Access-Control-Allow-Origin) control cross-origin access.

Parse and analyze HTTP request and response headers. Categorizes headers by type (Content, Caching, Security, CORS, Request, Response). Explains what each header does. Export as JSON. Paste raw headers from curl, browser DevTools, or server logs.

Works OfflineDark ModeNo Ads

Presets

HTTP Headers Input

Common HTTP Headers

Header	Example	Purpose
Content-Type	application/json	Specifies MIME type of body content
Cache-Control	max-age=3600	Browser/CDN caching rules
Authorization	Bearer <token>	Authentication credentials
CORS headers	Access-Control-*	Cross-origin request permissions
HSTS	max-age=31536000	Force HTTPS for 1 year
CSP	default-src 'self'	Restrict resource loading sources
ETag	"abc123"	Resource version for conditional requests
Set-Cookie	name=value; HttpOnly	Store data on client browser

How to Use

1
Paste HTTP headers
Paste raw headers from curl output, browser DevTools Network tab, or server logs. HTTP status lines are automatically skipped.
2
View parsed headers
Each header is parsed with its name, value, category (Security, Caching, CORS, etc.), and a description of what it does.
3
Group by category
Toggle grouping to see headers organized by type: Content, Caching, Security, CORS, Request, Response, or Other.
4
Export as JSON
Click Copy to export all parsed headers as a JSON object. Use presets to explore common header configurations.

Frequently Asked Questions

What are HTTP headers?: HTTP headers are key-value pairs sent between client and server in HTTP requests and responses. They carry metadata about the request/response: content type, caching rules, authentication, cookies, CORS permissions, and security policies. Headers appear before the body, separated by a blank line. Format: Header-Name: value.
What are the most important security headers?: Key security headers: Strict-Transport-Security (HSTS, forces HTTPS), Content-Security-Policy (CSP, controls resource loading), X-Content-Type-Options: nosniff (prevents MIME sniffing), X-Frame-Options: DENY (blocks iframe embedding), Referrer-Policy (controls referrer info). Missing security headers is a common vulnerability.
How do CORS headers work?: CORS (Cross-Origin Resource Sharing) headers control which origins can access a resource. Access-Control-Allow-Origin specifies allowed origins (* for all). Access-Control-Allow-Methods lists allowed HTTP methods. Access-Control-Allow-Headers specifies allowed request headers. Browsers enforce CORS — servers set the headers.
What is the Cache-Control header?: Cache-Control directs how browsers and CDNs cache responses. Common values: max-age=3600 (cache for 1 hour), no-cache (revalidate before using cache), no-store (never cache), public (CDN can cache), private (only browser can cache), immutable (never changes). Proper caching significantly improves page load speed.
How do I view HTTP headers in a browser?: Open browser DevTools (F12 or Cmd+Option+I), go to the Network tab, click any request, and select the Headers panel. You will see Request Headers (sent by browser) and Response Headers (sent by server). In curl, use curl -I URL for response headers only, or curl -v URL for full request and response headers.
What is the difference between request and response headers?: Request headers are sent from client to server: Host, User-Agent, Accept, Authorization, Cookie. Response headers are sent from server to client: Content-Type, Set-Cookie, Cache-Control, Server, Location (for redirects). Some headers like Content-Type appear in both directions.