HTTP Header Analyzer

Paste HTTP headers from curl, browser DevTools, or Burp Suite. Checks for missing or misconfigured security headers instantly.

No sign-up. No tracking. Runs in your browser.

Copy-ready header config for nginx, Apache, and Cloudflare Workers.

nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
Apache (.htaccess)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self';"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Cloudflare Workers
response.headers.set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self';");
response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
response.headers.set("X-Frame-Options", "SAMEORIGIN");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=()");

Common Use Cases

  1. Audit security headers before deploymentPaste raw headers from curl or browser DevTools to check for missing Content-Security-Policy, HSTS, X-Frame-Options, and other security headers before going live.
  2. Compare staging vs. production headersPaste headers from both environments and compare the security posture to catch configuration drift between environments.

Pro plan — coming soon

Save your history, create reusable presets, and share outputs with a link. One plan, all tools.

See what's planned →

Frequently Asked Questions

Related Tools

CORS Tester
Send a real preflight and actual request to any URL and diagnose the CORS configuration. Identifies missing or misconfigured Allow-Origin, methods, and credentials headers.
Redirect Checker
Follow HTTP redirect chains for any URL. See every hop with status code, Location header, and timing. Debug redirect loops, broken chains, and final destinations.
API Request Builder
Build and send HTTP requests from your browser. Set method, headers, and body, then see the full response with status, headers, and body. Server-side proxy avoids CORS restrictions.