HTTP Header Analyzer
Paste HTTP response headers to parse, explain, and get security recommendations. Everything runs locally in your browser.
AdSense
Top banner
HTTP Response Headers
Parsed Headers (9)
Content-Type
text/html; charset=utf-8
Indicates the media type of the resource (e.g. text/html, application/json).
Content-Length
12345
The size of the response body in bytes.
Cache-Control
public, max-age=3600
Directives for caching mechanisms in both requests and responses.
Set-CookieSecurity
session=abc123; HttpOnly; Secure; SameSite=Lax
Sends a cookie from the server to the user agent.
Ensure HttpOnly, Secure, and SameSite flags are set.
X-Powered-BySecurity
Express
Reveals the technology/framework behind the server.
Remove this header to avoid exposing server details to attackers.
ServerSecurity
nginx/1.21.0
Identifies the server software.
Consider removing or obscuring to reduce information disclosure.
Strict-Transport-SecuritySecurity
max-age=31536000; includeSubDomains
Tells the browser to always use HTTPS. Also known as HSTS.
Good. Ensure max-age is at least 31536000 (1 year) and include includeSubDomains.
X-Content-Type-OptionsSecurity
nosniff
Prevents MIME-type sniffing.
Good. Should be set to "nosniff".
X-Frame-OptionsSecurity
DENY
Controls whether the page can be displayed in an iframe.
Good for clickjacking protection. Use DENY or SAMEORIGIN.
Missing Security Headers
Content-Security-Policy
Add a Content-Security-Policy header to control resource loading.
Referrer-Policy
Add: Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
Add Permissions-Policy to restrict browser features.
Was this page helpful?