What does the HTTP Header Analyzer do?

It parses HTTP response headers and analyzes them for security vulnerabilities, CORS configuration issues, and caching policies. You get a security score out of 100 and actionable recommendations.

Is my data sent to any server?

No. All analysis happens entirely in your browser using JavaScript. Your headers never leave your device.

Client-Side Only — Headers are analyzed entirely in your browser. No data is sent to any server.

HTTP Header Analyzer

Instant Analysis

Paste any HTTP response headers and get security, CORS, and cache analysis in real-time.

Security Scoring

Get a 0-100 security score based on 9 critical headers with detailed recommendations.

Header Explanations

Click any header to learn what it does, why it matters, and how to configure it.

What Is HTTP Header Analyzer?

HTTP Header Analyzer is a free online tool that inspects HTTP response headers for security vulnerabilities, CORS misconfigurations, and caching issues — entirely in your browser.

Key Features

Security score (0-100) based on 9 critical security headers with per-header deduction breakdown
CORS analysis detecting wildcard origins, credential conflicts, and misconfigured policies
Cache policy analysis with TTL calculation, directive parsing, and ETag detection
Clickable header explanations with nginx and Express configuration examples
HTTP status line parsing with color-coded status code badges
Three built-in samples: Secure API, Insecure, and CDN Cached

How to Use

Paste your HTTP response headers (from browser DevTools, curl, or any HTTP client) into the input area. The tool automatically parses the headers and generates analysis cards for security, CORS, and caching. Click any header row in the table to see a detailed explanation with configuration examples.

Common Use Cases

Auditing web application security headers before deployment
Debugging CORS issues between frontend and API servers
Verifying CDN caching configuration is correct
Learning about HTTP security best practices with real examples
Checking compliance with security header requirements

Frequently Asked Questions

How is the security score calculated?: The score starts at 100 and deducts points for each missing security header: HSTS (-20), CSP (-25), X-Frame-Options (-10), X-Content-Type-Options (-10), Referrer-Policy (-5), Permissions-Policy (-5), COOP (-5), COEP (-5), CORP (-5). Additional deductions apply for unsafe CSP directives.
Can I paste headers from curl or browser DevTools?: Yes. The parser handles both formats: raw headers with "Header: Value" lines and responses starting with an HTTP status line like "HTTP/2 200 OK". Just paste the text as-is.
What does a wildcard CORS origin mean?: Access-Control-Allow-Origin: * means any website can make cross-origin requests to your API. This is fine for public APIs but risky for private endpoints. Combining * with credentials: true is invalid and will be blocked by browsers.
Is my data safe?: Absolutely. All analysis runs in your browser using JavaScript. No data is sent to any server. You can verify by disconnecting from the internet.