HTTP Header Analyzer - Parse & Audit Security Headers Online
Parse, analyze, and audit HTTP headers for security vulnerabilities, caching behavior, and CORS configuration. Get a security score with actionable recommendations — 100% client-side, no data sent to server.
Frequently Asked Questions
What is an HTTP Header Analyzer and what does it do?
An HTTP Header Analyzer is a tool that parses raw HTTP headers (both request and response) and provides human-readable explanations for each header. It categorizes headers by function (Security, Caching, CORS, Content, etc.), performs a security audit to check for the presence and correctness of critical security headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options, and generates a security score. It helps web developers understand what each header does, identify missing security protections, and optimize caching and CORS configurations.
How do I use this HTTP Header Analyzer tool?
1. Copy HTTP headers from your browser's DevTools (Network tab, click a request, view Headers), from curl -v output, or from server logs. 2. Paste the raw headers into the text area. The format should be Header-Name: value, one per line. Status lines like HTTP/1.1 200 OK and curl prefixes like < are automatically stripped. 3. Select Request Headers or Response Headers depending on what you pasted. 4. View the parsed results in the Parsed Headers tab to see each header with its category and description. 5. Switch to Security Audit to see your security score and any missing or misconfigured security headers. 6. Use Caching and CORS tabs for detailed analysis of those specific header groups.
Is my data safe? Does it get sent to a server?
Absolutely safe. This HTTP Header Analyzer runs 100% in your browser using client-side JavaScript. No headers, URLs, or any other data is ever transmitted to any server. All parsing and analysis happens locally in your browser. Unlike tools like securityheaders.com that require you to enter a URL and make server-side requests, this tool works entirely offline after the page loads. You can safely analyze headers from production servers, internal APIs, or sensitive environments without any privacy concerns.
What security headers should every website have?
Every website should implement these critical security headers in its HTTP responses: (1) Strict-Transport-Security (HSTS) with max-age=31536000; includeSubDomains to enforce HTTPS connections. (2) Content-Security-Policy (CSP) to prevent XSS and code injection attacks by controlling which resources can load. (3) X-Content-Type-Options: nosniff to prevent browsers from MIME-sniffing responses. (4) X-Frame-Options: DENY (or SAMEORIGIN) to prevent clickjacking attacks. (5) Referrer-Policy set to strict-origin-when-cross-origin to limit referrer information leakage. (6) Permissions-Policy to disable unused browser features like camera, microphone, and geolocation. Modern sites should also consider Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP), and Cross-Origin-Embedder-Policy (COEP) for additional isolation.
What is Content-Security-Policy (CSP) and why is it important?
Content-Security-Policy (CSP) is an HTTP response header that tells the browser which sources of content are allowed to load on a page. It is one of the most powerful defenses against Cross-Site Scripting (XSS) attacks. CSP uses directives like default-src, script-src, style-src, img-src, etc. to whitelist specific origins. For example, Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com allows scripts only from the same origin and a specific CDN. Values like 'unsafe-inline' and 'unsafe-eval' weaken CSP significantly and should be avoided. This tool parses and evaluates your CSP to identify potentially dangerous directives.
How is the security score calculated?
The security score is a 0-100 numeric rating based on the presence and configuration quality of critical security headers. Points are allocated as follows: HSTS with sufficient max-age (15 points), Content-Security-Policy (20 points), X-Frame-Options or CSP frame-ancestors (10 points), X-Content-Type-Options: nosniff (10 points), Referrer-Policy (10 points), Permissions-Policy (10 points), Cross-Origin-Opener-Policy (5 points), Cross-Origin-Resource-Policy (5 points), Cross-Origin-Embedder-Policy (5 points), and absence of version-leaking headers like Server or X-Powered-By (10 points). The score maps to letter grades: A+ (95-100), A (85-94), B (75-84), C (60-74), D (40-59), F (0-39).
What is the difference between request headers and response headers?
Request headers are sent by the client (browser) to the server and include information like User-Agent (browser identity), Accept (preferred content types), Authorization (authentication credentials), Cookie (stored cookies), and Referer (referring page). Response headers are sent by the server back to the client and include Content-Type (MIME type of the response body), Cache-Control (caching directives), security headers (CSP, HSTS, X-Frame-Options), Set-Cookie (cookies to store), and Access-Control-* (CORS policies). Security auditing applies primarily to response headers, as they control browser security behavior.
Code Examples
// HTTP Header Parser and Security Analyzer
function parseHttpHeaders(rawHeaders) {
const headers = [];
for (const line of rawHeaders.split('\n')) {
let cleaned = line.trim();
if (!cleaned) continue;
if (/^HTTP\/[\d.]+\s+\d+/.test(cleaned)) continue;
if (/^(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)\s+/.test(cleaned)) continue;
cleaned = cleaned.replace(/^[<>]\s*/, '');
if (!cleaned) continue;
const i = cleaned.indexOf(':');
if (i === -1) continue;
const name = cleaned.substring(0, i).trim();
const value = cleaned.substring(i + 1).trim();
if (name) headers.push({ name, value });
}
return headers;
}
const SECURITY_CHECKS = [
{ header: 'strict-transport-security', label: 'HSTS', weight: 15 },
{ header: 'content-security-policy', label: 'CSP', weight: 20 },
{ header: 'x-frame-options', label: 'X-Frame-Options', weight: 10 },
{ header: 'x-content-type-options', label: 'X-Content-Type-Options', weight: 10 },
{ header: 'referrer-policy', label: 'Referrer-Policy', weight: 10 },
{ header: 'permissions-policy', label: 'Permissions-Policy', weight: 10 },
];
function auditSecurity(headers) {
const map = new Map(headers.map(h => [h.name.toLowerCase(), h.value]));
let score = 0;
const results = [];
for (const check of SECURITY_CHECKS) {
const value = map.get(check.header);
if (value) {
score += check.weight;
results.push({ header: check.label, status: 'pass', value });
} else {
results.push({ header: check.label, status: 'fail', value: null });
}
}
// Check info leakage
if (!['server', 'x-powered-by'].some(h => map.has(h))) score += 10;
const grade = score >= 95 ? 'A+' : score >= 85 ? 'A' :
score >= 75 ? 'B' : score >= 60 ? 'C' : score >= 40 ? 'D' : 'F';
return { score, grade, results };
}
// Example usage
const raw = `Content-Type: text/html\nStrict-Transport-Security: max-age=31536000\nX-Frame-Options: DENY\nX-Content-Type-Options: nosniff`;
const parsed = parseHttpHeaders(raw);
const audit = auditSecurity(parsed);
console.log(`Score: ${audit.score}/100 (${audit.grade})`);