Advertisements

headerup to 320x100 / 728x90

HTTP Header Inspector

Paste response headers to audit HSTS, CSP, CORS, X-Powered-By disclosure, and Set-Cookie flags

Input
Loading editor...
Output

Output will appear here...

Advertisements

content bottomup to 300x250

What is HTTP Header Inspector

Last reviewed:

HTTP Header Inspector parses a raw block of HTTP response headers and audits the most common security and hygiene settings: HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS, Server header disclosure, and Set-Cookie Secure / HttpOnly flags.

Paste the entire response (status line optional) and get a structured report of issues and notes in seconds.

Why use it

  • Audit production security headers before launch.
  • Triage security scanner findings.
  • Verify cookie flags on login endpoints.
  • Spot CORS wide-open configurations.
  • Catch X-Powered-By leaks in staging.

Features

  • HSTS / CSP / X-CTO checks
  • Referrer-Policy presence
  • CORS wide-open detection
  • Server / X-Powered-By leak warnings
  • Set-Cookie Secure / HttpOnly audit

How to use HTTP Header Inspector

  1. Paste headers. Status line optional.
  2. Run. Review issues and notes.
  3. Fix & re-check. Update your server config and re-audit.

Example (before/after)

Input

HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: sid=abc; Path=/
Access-Control-Allow-Origin: *
X-Powered-By: Express

Audit

Parsed 4 headers

Headers:
  content-type: application/json
  set-cookie: sid=abc; Path=/
  access-control-allow-origin: *
  x-powered-by: Express

Issues (5):
  • Missing Strict-Transport-Security (enable HSTS)
  • Missing Content-Security-Policy
  • Missing X-Content-Type-Options: nosniff
  • Missing Referrer-Policy
  • Set-Cookie missing 'Secure' flag
  • Set-Cookie missing 'HttpOnly' flag

Notes:
  • CORS: Access-Control-Allow-Origin is '*' (wide open)
  • X-Powered-By discloses: Express

Common errors

Missing status line

The parser skips lines starting with HTTP/.

Fix: It's fine to paste with or without the status line.

Multi-value headers

Some servers split Set-Cookie across multiple lines.

Fix: Paste each Set-Cookie value on its own line.

FAQ

Does it perform HTTP requests?

No — paste existing headers; nothing is fetched.

Which headers does it check?

HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS, Server, X-Powered-By, Set-Cookie.

Is input uploaded?

No — parsing is client-side.

Does it validate CSP directives?

It checks presence only — paste the CSP into a dedicated validator for full checks.

Are cookie flags case-sensitive?

No — the tool checks case-insensitively.

Related tools

Pair with CORS, URL, and header encoding tools. You can also browse the full Networking & DNS category for more options.

CORS Origin Checker

Test whether origins are allowed by a given Access-Control-Allow-Origin value — wildcard and subdomain aware

URL Parser

Parse a URL into scheme, host, port, path, query parameters, fragment, and origin — fully client-side

User-Agent Parser

Parse a User-Agent string into browser, version, operating system, device type, and bot status

JWT Decoder

Decode and view JWT token payloads

Base64 Encoder/Decoder

Encode or decode Base64 strings

CIDR Calculator

Calculate network, broadcast, usable hosts, subnet mask, and wildcard for any IPv4 CIDR

HTTP Status Code Checker

Search and learn about HTTP status codes. Find meaning, common causes, and fix solutions for any HTTP response code.

Well-Known Ports Reference

Searchable list of well-known TCP/UDP ports — filter by port number, service name, or description

SEO URL Inspector

Analyze a live webpage for core SEO signals

URL Inspector

Inspect status, headers, redirects, and canonical hints for a URL

Accessibility Label Helper

Scan pasted HTML for missing alt text, labels, and aria attributes in common interactive elements

Curl to PHP

Convert curl commands to PHP code