HTTP Headers Viewer

Inspect HTTP response headers for any public URL.

Header inspection tool

Analyze HTTP response headers

Validate a URL or paste raw response headers for reliable local parsing. Pasted-header mode works fully in the browser.

Paste headers from DevTools, curl, Postman, or server logs.

Headers are ready to inspect and copy.

Analysis status

Ready

Pasted-header mode parses the header block locally in your browser.

Detected highlights

Content-Type: text/html; charset=UTF-8
Cache: Cacheable
Security headers: Strong signal
Compression: Brotli

Status code

200

HTTP status if available.

Header count

10

Parsed response headers.

Content type

text/html; charset=UTF-8

Response format metadata.

Cache status

Cacheable

max-age=3600

Security status

Strong signal

Based on selected security header presence only.

CORS status

Configured

https://example.com

Compression

Brotli

Detected from Content-Encoding.

Mode

Pasted headers

Current inspection mode.

Copy all headers

Copy the full parsed header block for debugging, documentation, or sharing with teammates.

Copy parsed summary

Copy a compact summary with status, content type, cache, CORS, compression, and security signals.

Privacy note

Pasted headers are parsed locally in the browser. Avoid pasting private cookies, tokens, or internal hostnames.

Security note

Security headers are useful, but they do not prove a site is fully secure by themselves.

CORS limitation

Browser JavaScript cannot read every third-party response header. Pasted-header mode avoids that limitation.

Accuracy note

Browser-visible headers may not include every server, CDN, proxy, or redirect header.

Parsed header details

Review each header, what it means, and copy individual values.

content-type

text/html; charset=UTF-8

Describes the response format, such as HTML, JSON, CSS, JavaScript, or an image.

cache-control

max-age=3600

Controls browser, CDN, and intermediary caching behaviour.

etag

"abc123"

Cache validation token used to check whether content changed.

content-encoding

br

Compression format such as gzip, br, zstd, or identity.

strict-transport-security

max-age=31536000; includeSubDomains

Instructs browsers to use HTTPS for future requests.

content-security-policy

default-src 'self'

Security policy that restricts what resources the browser may load.

x-frame-options

SAMEORIGIN

Clickjacking protection for iframe embedding.

x-content-type-options

nosniff

Prevents MIME type sniffing when set to nosniff.

referrer-policy

strict-origin-when-cross-origin

Controls how much referrer information is sent.

access-control-allow-origin

https://example.com

CORS policy that controls which origins can access the response.

Practical HTTP header examples

Click an example to load it into pasted-header mode.

HTTP headers quick reference

Content-Type

Describes the response format.

Cache-Control

Controls browser and CDN caching.

Location

Used for redirects.

Set-Cookie

Sends cookies to the browser.

Content-Encoding

Compression such as gzip or br.

ETag

Cache validation token.

Access-Control-Allow-Origin

CORS access policy.

Strict-Transport-Security

HTTPS policy.

Content-Security-Policy

Browser security policy.

Referrer-Policy

Controls referrer information.

Developer guide

Understand HTTP response headers

Headers describe content type, caching, redirects, cookies, security policies, compression, server behaviour, and cross-origin access.

What is an HTTP Headers Viewer?

An HTTP Headers Viewer helps inspect metadata sent with HTTP responses. Developers use it to understand how browsers, APIs, CDNs, and servers handle a response.

When should developers use one?

Use it for API debugging, content type checks, redirect investigation, cache review, compression checks, CORS debugging, cookie review, security header checks, CDN testing, and SEO troubleshooting.

Response headers vs request headers

Request headers are sent by the client to the server. Response headers are returned by the server to the client. This page focuses mainly on response headers.

Privacy and security

Avoid pasting private cookies, Authorization headers, tokens, session IDs, API keys, or internal hostnames into online tools unless you trust the environment.

Common HTTP header mistakes

Missing Content-Type.
Incorrect cache settings.
Using no-store when caching is desired.
Missing security headers.
Exposing sensitive server details.
Misconfigured CORS wildcards.
Setting cookies without Secure, HttpOnly, or SameSite.
Expecting browser JavaScript to access every third-party header.
Ignoring redirects when testing headers.

How to use this HTTP Headers Viewer

  1. 1Enter a URL to validate it or switch to pasted-header mode.
  2. 2Paste headers copied from DevTools, curl, Postman, or server logs.
  3. 3Review status, content type, cache, CORS, compression, and security summaries.
  4. 4Open individual headers to see what they mean.
  5. 5Copy the full header block or selected values for debugging.

Why developers use an HTTP Headers Viewer

Debug response metadata quickly.
Understand caching behaviour.
Check content type and compression.
Inspect CORS responses.
Review security headers.
Investigate redirects.
Compare CDN and origin responses.
Share header summaries with teammates.

HTTP Headers Viewer FAQs

It shows the metadata returned with an HTTP response, such as content type, cache rules, security policies, cookies, redirects, and CORS headers.

Learn the formula, assumptions, examples, or context behind this tool.