Paste HTTP response headers to analyze security, caching, SEO, and performance.
Paste HTTP response headers above or load an example to get started
Tip: Use curl -I https://example.com in your terminal to get headers
HTTP headers are metadata sent between your browser and a web server with every request and response. They carry essential information about the content being transferred, how it should be cached, security policies to enforce, and much more.
When you visit a website, the server sends back response headers alongside the actual page content. These headers tell your browser how to handle the response, including the content type, encoding, caching rules, and security restrictions. Understanding these headers is crucial for web developers, SEO specialists, and security professionals.
Security headers form a critical layer of defense for any website. Strict-Transport-Security (HSTS) forces browsers to use HTTPS, preventing downgrade attacks. Content-Security-Policy (CSP) controls which resources the browser is allowed to load, mitigating cross-site scripting (XSS) attacks.
X-Content-Type-Options prevents browsers from MIME-sniffing content, while X-Frame-Options blocks your site from being embedded in iframes on other domains (preventing clickjacking). Referrer-Policy controls how much URL information is shared when navigating away from your site. Permissions-Policy (formerly Feature-Policy) lets you disable browser features like camera or microphone access that your site does not need.
Proper caching headers can dramatically improve website performance and reduce server load. The Cache-Control header is the primary mechanism, with directives like max-age (how long to cache), public/private (who can cache), and no-store (do not cache at all).
ETags and Last-Modified headers enable conditional requests. When a browser already has a cached copy, it can send the ETag or modification date back to the server, which responds with either the full content or a lightweight 304 Not Modified status. The Age header shows how long a response has been sitting in a CDN cache, which is useful for debugging caching behavior.
Several HTTP headers directly impact search engine optimization. The X-Robots-Tag header provides the same functionality as a robots meta tag but at the HTTP level, which is especially useful for non-HTML resources like PDFs and images.
The Link header can specify a canonical URL for a page, telling search engines which version of a URL is authoritative. Content-Type headers ensure search engines correctly interpret your content, while Content-Language headers help with international targeting. Server response times visible through headers also affect Core Web Vitals, which are a ranking factor.
You can get HTTP response headers using several methods. In your terminal, run 'curl -I https://example.com' to see just the headers. In Chrome DevTools, open the Network tab, click on any request, and view the Response Headers section. You can also use browser extensions designed for viewing headers. Copy the output and paste it into this tool for analysis.
A score of 80 or above indicates strong security header coverage. The most impactful headers to add are Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP), which together account for 40 points. Even basic headers like X-Content-Type-Options and X-Frame-Options make a significant difference. Aim for at least the top four security headers on every production site.
Browsers enforce same-origin policies (CORS) that prevent JavaScript from making direct HTTP requests to arbitrary domains and reading their headers. By asking you to paste headers obtained via curl, DevTools, or other methods, this tool can run entirely in your browser with no server needed. Your data never leaves your device.
For static assets like images, CSS, and JavaScript with versioned filenames, use 'public, max-age=31536000, immutable' for aggressive caching. For HTML pages, 'public, max-age=3600, s-maxage=86400, stale-while-revalidate=86400' balances freshness with performance. For API responses with dynamic data, use 'no-store' or 'no-cache' to prevent stale data.
Yes, this tool is completely free. It runs entirely in your browser using JavaScript. No data is sent to any server, and no API calls are made. Your pasted headers are analyzed locally and never stored or transmitted.
