HTTP Headers Explainer

Paste a set of HTTP response headers; get a plain-English explanation of each plus security implications. Flags missing critical headers (CSP, HSTS, X-Content-Type-Options), insecure values, and conflicting directives.

How to use the HTTP Headers Explainer

Paste response headers (curl -I output works, browser DevTools header copy works). The explainer describes each, calls out security implications, and reports missing recommended security headers (HSTS, CSP, X-Frame-Options, etc.).

Reading HTTP response headers

HTTP response headers quietly control caching, security, and content handling, but their names and values are terse and the consequences are easy to miss. A missing Strict-Transport-Security leaves a site open to downgrade attacks, an absent X-Content-Type-Options: nosniff allows MIME sniffing, and a too-permissive Cache-Control can serve stale or private data. The defaults are rarely the safe choice.

Paste a set of response headers — curl -I output or a DevTools copy both work — and this explains each one in plain English, flags insecure or conflicting values, and lists recommended security headers you are missing. When it flags an absent Content-Security-Policy, build one with the CSP policy builder; to dig into caching specifically, the HTTP cache decoder.

Common use cases

  • Security audits — spot missing HSTS, CSP, or frame protections.
  • Cache debugging — understand why a response is or is not cached.
  • Learning headers — get a plain-English read on unfamiliar header names.
  • Pre-launch checks — review a site's headers before going live.
  • Catching conflicts — find directives that contradict each other.

Frequently asked questions

Where do I get the headers to paste?

From curl -I against a URL, or by copying the response headers from your browser DevTools network panel.

Which security headers does it check for?

Recommended ones such as Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.

Does it send any requests?

No. It only analyses the header text you paste, so nothing leaves your browser.

How do I fix a missing CSP?

Build a policy with the CSP policy builder and add it as a Content-Security-Policy header.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: