🌐 HTTP Header Viewer

HTTP header viewer and analyzer tool for debugging web requests and responses.

📋 Your Current Headers

🔍 Check URL Headers

Enter URL to check headers:

📝 Parse Headers

Paste raw headers here:

🔬 Header Analysis

🔒 Security Headers Check

⚙️ Header Generator

Header Type:

✅ Header Validator

Headers to validate:

📚 HTTP Headers Reference

Request Headers: • Accept: application/json, text/html • Accept-Encoding: gzip, deflate, br • Accept-Language: en-US,en;q=0.9 • Authorization: Bearer token, Basic base64 • Content-Type: application/json, text/html • Cookie: sessionid=abc123; csrftoken=xyz789 • Host: example.com • Referer: https://example.com/page • User-Agent: Mozilla/5.0 (browser info) Response Headers: • Content-Type: application/json; charset=utf-8 • Content-Length: 1234 • Content-Encoding: gzip • Date: Wed, 21 Oct 2015 07:28:00 GMT • ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4" • Last-Modified: Wed, 21 Oct 2015 07:28:00 GMT • Location: https://example.com/new-location • Server: nginx/1.18.0 • Set-Cookie: sessionid=abc123; HttpOnly; Secure

Security Headers: • Content-Security-Policy: default-src 'self' • Strict-Transport-Security: max-age=31536000 • X-Content-Type-Options: nosniff • X-Frame-Options: DENY • X-XSS-Protection: 1; mode=block • Referrer-Policy: strict-origin-when-cross-origin • Permissions-Policy: geolocation=(), microphone=() HSTS (HTTP Strict Transport Security): Strict-Transport-Security: max-age=31536000; includeSubDomains; preload CSP (Content Security Policy): Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' Feature Policy / Permissions Policy: Permissions-Policy: camera=(), microphone=(), geolocation=()

Cache Control: • Cache-Control: no-cache, no-store, must-revalidate • Cache-Control: public, max-age=3600 • Cache-Control: private, max-age=0 • Pragma: no-cache • Expires: Wed, 21 Oct 2015 07:28:00 GMT ETag and Validation: • ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4" • If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4" • Last-Modified: Wed, 21 Oct 2015 07:28:00 GMT • If-Modified-Since: Wed, 21 Oct 2015 07:28:00 GMT Cache Directives: • no-cache: Must revalidate with server • no-store: Don't store in any cache • public: Can be cached by any cache • private: Only cached by browser • max-age: Cache lifetime in seconds • must-revalidate: Must check with server when stale

CORS Headers: • Access-Control-Allow-Origin: * • Access-Control-Allow-Origin: https://example.com • Access-Control-Allow-Methods: GET, POST, PUT, DELETE • Access-Control-Allow-Headers: Content-Type, Authorization • Access-Control-Allow-Credentials: true • Access-Control-Max-Age: 86400 • Access-Control-Expose-Headers: X-Total-Count Preflight Request: OPTIONS /api/data HTTP/1.1 Origin: https://example.com Access-Control-Request-Method: POST Access-Control-Request-Headers: Content-Type Preflight Response: Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: Content-Type Access-Control-Max-Age: 86400

🔢 HTTP Status Codes

1xx Informational

100 Continue

101 Switching Protocols

102 Processing

2xx Success

200 OK

201 Created

202 Accepted

204 No Content

3xx Redirection

301 Moved Permanently

302 Found

304 Not Modified

307 Temporary Redirect

4xx Client Error

400 Bad Request

401 Unauthorized

403 Forbidden

404 Not Found

429 Too Many Requests

5xx Server Error

500 Internal Server Error

502 Bad Gateway

503 Service Unavailable

504 Gateway Timeout

💰 Support Development

This toolkit is 100% free. If it helped you, consider donating in USDT to support future development.

USDT (TRC20):
TACpbL6iRczHYzE4sJCKfHB3Npw8NoQv37