About HTTP Header Analyzer

Analyze HTTP headers for security, caching, and best practices. Part of the DevTools Surf developer suite. Browse more tools in the Networking collection.

Use Cases

• Audit production response headers for security compliance
• Debug caching issues by analyzing Cache-Control directives
• Verify CORS and CSP headers before deployment
• Check for information leakage in Server and X-Powered-By headers

Tips

• Paste full response headers to get a security audit summary
• Check for missing security headers like CSP and HSTS
• Identify caching misconfigurations from Cache-Control values

Fun Facts

• HTTP/1.0 (RFC 1945, 1996) defined only 16 header fields; today there are over 90 registered HTTP headers in the IANA registry.
• The X- prefix for custom headers was deprecated by RFC 6648 in 2012, but X-Forwarded-For and X-Requested-With remain ubiquitous.
• The Strict-Transport-Security (HSTS) header was standardized in RFC 6797 in 2012 after being pioneered by PayPal to prevent SSL stripping attacks.

FAQ

What does it analyze?

Security (CSP, HSTS, X-Frame-Options, X-Content-Type-Options), caching (Cache-Control, ETag, Vary), and informational headers. Flags missing security headers.

What's a good security header set?

HSTS with includeSubDomains, CSP with nonce-based scripts, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin.

Does it fetch the URL?

Paste headers — the tool analyzes them. For live fetching across origins, browser CORS blocks it; use curl or the SecurityHeaders.com service.

What's Strict-Transport-Security?

Tells browsers to always use HTTPS for your domain. Prevents protocol-downgrade attacks. Essential for any HTTPS site.