HTTP Headers Analyzer
Paste HTTP response headers to get a security score, caching analysis, CORS breakdown, and plain-English explanations.
Paste HTTP response headers to get a security score, caching analysis, CORS breakdown, and plain-English explanations.
HTTP response headers are metadata sent by a server alongside a response body. They control browser behavior including caching, security policies, content encoding, and CORS. Properly configured headers significantly improve security and performance of web applications.
Security headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options are critical for protecting against common web attacks like XSS, clickjacking, and man-in-the-middle attacks.
curl -I https://yoursite.com to see response headers in the terminal.Content-Security-Policy (CSP) is the most impactful security header. It controls which resources the browser is allowed to load, effectively preventing XSS attacks. Strict-Transport-Security (HSTS) is equally important for HTTPS sites.
These headers reveal your server software and version (e.g., "nginx/1.18.0" or "PHP/8.2"). Attackers can use this information to target known vulnerabilities. Removing or obfuscating them is a basic security hardening step.
no-store means the response must not be stored in any cache — not in the browser, not in shared proxies. Use this for sensitive pages like banking dashboards or user-specific data that should never be cached.