Zero Signup ToolsFree browser tools

Developer Tools

HTTP Headers Parser

Parse raw HTTP request or response headers in your browser. Decode Cache-Control, Set-Cookie, HSTS, and CORS, plus a security headers audit.

680 chars

Paste the headers from a curl response, browser DevTools, or a fetch log. The first line may be a status line (HTTP/1.1 200 OK) or a request line (GET /path HTTP/1.1), followed by one Name: value pair per line. Folded continuation lines are joined automatically.

Summary

  • First line

    Response 200 OK

  • Headers parsed

    16

  • Categories present

    7

  • Security headers present

    3 of 6

Security headers audit

The following headers were not found in the response. Each is recommended for browser-facing pages.

  • Content-Security-Policy

    High impact

    Restricts which sources of script, style, and other resources the browser will load. The most effective defense against cross-site scripting.

  • Referrer-Policy

    Low impact

    Controls how much of the URL is sent in the Referer header to other sites. strict-origin-when-cross-origin is a common safe default.

  • Permissions-Policy

    Low impact

    Disables browser features (camera, microphone, geolocation, etc.) that your page does not need. Reduces the impact of a future XSS.

General

2 headers

  • Date

    Sat, 04 Apr 2026 14:22:11 GMT

    When the message was generated by the origin server.

  • Server

    nginx/1.25.4

    Software running on the origin server. Often hidden in production to reduce fingerprinting.

Caching

3 headers

  • Cache-Control

    public, max-age=3600, stale-while-revalidate=86400

    Directives that control how the response is cached by browsers and intermediaries.

    • public

      Any cache (including shared caches like CDNs) may store the response.

    • max-age

      3600 seconds (1 hour)

    • stale-while-revalidate

      86400 seconds (1 day)

  • Last-Modified

    Fri, 03 Apr 2026 18:00:00 GMT

    When the resource was last modified at the origin. Used with If-Modified-Since for conditional requests.

  • Vary

    Accept-Encoding, Accept-Language

    Headers a cache must consider when matching a request to a stored response (e.g., Vary: Accept-Encoding).

Content

3 headers

  • Content-Type

    text/html; charset=utf-8

    MIME type of the body, usually with a charset for text or a boundary for multipart.

    • mime

      text/html

    • charset

      utf-8

  • Content-Length

    14823

    Size of the body in bytes.

    • bytes

      14823

    • human

      14.5 KB

  • Content-Encoding

    gzip

    Compression applied to the body. The client must decode in reverse order.

    • gzip

      gzip compression (DEFLATE wrapped in gzip).

Security

3 headers

  • Strict-Transport-Security

    max-age=31536000; includeSubDomains; preload

    Forces browsers to use HTTPS for this domain for the given max-age. Also known as HSTS.

    • max-age

      31536000 seconds (365 days)

    • includeSubDomains

      Apply HSTS to all subdomains too.

    • preload

      Eligible for the browser preload list (hardcoded HTTPS).

  • X-Content-Type-Options

    nosniff

    nosniff disables MIME sniffing, blocking some content-type confusion attacks.

  • X-Frame-Options

    SAMEORIGIN

    Controls iframe embedding. DENY blocks all framing, SAMEORIGIN allows the same site only.

CORS

2 headers

  • Access-Control-Allow-Origin

    https://example.com

    Which origins may read the response. Cannot be * when credentials are included.

    • allow

      https://example.com

  • Access-Control-Allow-Credentials

    true

    If true, credentials (cookies, auth) are allowed in CORS requests.

Cookies

1 header

  • Set-Cookie

    session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=3600

    Tells the browser to set a cookie. Each Set-Cookie defines exactly one cookie.

    • name

      session

    • value

      abc123

    • Path

      /

    • HttpOnly

      (flag)

    • Secure

      (flag)

    • SameSite

      Lax

    • Max-Age

      3600 seconds (1 hour)

Custom or unknown

2 headers

  • Etag

    (sent as ETag)

    "a1b2c3d4-5e6f"

    Header is not in the well-known set tracked by this tool.

  • X-Request-Id

    7f3c1a8e-2b9d-4f1a-9c2e-5b7e8a3d6f12

    Vendor or application-defined header (the X- prefix is conventional for non-standard headers).

Normalized block

Header names rewritten to canonical Hyphen-Capital case.

HTTP/1.1 200 OK
Date: Sat, 04 Apr 2026 14:22:11 GMT
Server: nginx/1.25.4
Content-Type: text/html; charset=utf-8
Content-Length: 14823
Content-Encoding: gzip
Cache-Control: public, max-age=3600, stale-while-revalidate=86400
Etag: "a1b2c3d4-5e6f"
Last-Modified: Fri, 03 Apr 2026 18:00:00 GMT
Vary: Accept-Encoding, Accept-Language
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Set-Cookie: session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=3600
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true
X-Request-Id: 7f3c1a8e-2b9d-4f1a-9c2e-5b7e8a3d6f12

How to use

  1. Paste a raw HTTP header block into the input. Copy from curl -i, the Headers panel in browser DevTools, a fetch/Axios log, or any HTTP client that prints headers as text.
  2. An optional first line (HTTP/1.1 200 OK or GET /path HTTP/1.1) tells the parser whether you pasted a response or a request. A bare list of headers also works.
  3. Read the summary card for the detected first line, total headers, categories present, and a count of recommended security headers found versus missing.
  4. Browse the grouped sections to see every header with a plain-language description and decoded sub-fields (Cache-Control directives, Set-Cookie attributes, HSTS flags, Content-Type charset, etc.).
  5. Use the security headers audit to spot missing HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, or Permissions-Policy on a response.
  6. Click Copy on any header to grab its canonical Name: value, or Copy block at the bottom to copy the entire normalized header set.

About this tool

HTTP Headers Parser takes a raw block of HTTP headers, copied from a curl response, browser DevTools, a server log, or any tool that prints HTTP traffic, and turns it into a structured, searchable view of what each header means and how its value decodes. The first line is detected automatically: a status line like 'HTTP/1.1 200 OK' marks the input as a response, a request line like 'GET /path HTTP/1.1' marks it as a request, and a bare list of headers is also accepted. Header names are normalized to canonical Hyphen-Capital case, folded continuation lines are joined, and duplicate header detection flags fields that appear more than once (Set-Cookie is the legitimate exception). Headers are grouped by category: General, Caching, Content, Security, CORS, Cookies, Authentication, Redirect, Rate limiting, and Custom or unknown (the X-* fallback). For headers with structured values, the tool decodes the parts: Cache-Control directives are split out with each max-age expressed in human time (1 hour, 1 day, 1 year), Strict-Transport-Security shows max-age plus includeSubDomains and preload flags, Set-Cookie splits the cookie name and value out from each attribute (Path, Domain, Max-Age in human time, HttpOnly, Secure, SameSite, Partitioned), Content-Type separates the MIME type from charset and boundary, Content-Length is rendered in human bytes, Content-Encoding lists each compression algorithm with a short note, Authorization decodes Basic credentials from base64 and recognizes JWT-shaped Bearer tokens, Retry-After accepts both seconds and HTTP-date forms, Access-Control-Max-Age is converted to human time, and rate-limiting headers (X-RateLimit-* and the spec-draft RateLimit-*) are surfaced as their own category. A security headers audit runs whenever the input looks like a response and lists which recommended headers are missing, with a severity hint: Strict-Transport-Security and Content-Security-Policy are flagged as high impact, X-Content-Type-Options and X-Frame-Options as medium, Referrer-Policy and Permissions-Policy as low. A 'Copy' button next to every header copies the canonical Name: value pair, and a 'Copy block' button at the bottom copies the entire normalized header block ready to paste into documentation, a config file, or a peer review. Useful when you are debugging caching, looking at why a Set-Cookie isn't sticking, validating CORS preflight responses, checking that a CDN is forwarding your security headers, comparing two environments, or auditing a third-party service's response. Everything runs in your browser, so the headers you paste, including any cookies, auth tokens, or internal CDN debug values, never leave your device.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

HTTP Status Codes

Searchable HTTP status code reference with meaning, class, RFC, and examples.

Open tool

Developer

URL Parser

Break a URL into protocol, host, path, query params, and fragment with decoded values.

Open tool

Developer

JWT Decoder

Decode header, payload, and claims of a JWT with expiry checks.

Open tool

Developer

Base64 Encoder Decoder

Encode and decode Base64 with full Unicode.

Open tool

All toolsDeveloper Tools