HTTP Headers Explainer
Paste a set of HTTP response headers; get a plain-English explanation of each plus security implications. Flags missing critical headers (CSP, HSTS, X-Content-Type-Options), insecure values, and conflicting directives.
How to use the HTTP Headers Explainer
Paste response headers (curl -I output works, browser DevTools header copy works). The explainer describes each, calls out security implications, and reports missing recommended security headers (HSTS, CSP, X-Frame-Options, etc.).
Reading HTTP response headers
HTTP response headers quietly control caching, security, and content handling, but their names and values are terse and the consequences are easy to miss. A missing Strict-Transport-Security leaves a site open to downgrade attacks, an absent X-Content-Type-Options: nosniff allows MIME sniffing, and a too-permissive Cache-Control can serve stale or private data. The defaults are rarely the safe choice.
Paste a set of response headers — curl -I output or a DevTools copy both work — and this explains each one in plain English, flags insecure or conflicting values, and lists recommended security headers you are missing. When it flags an absent Content-Security-Policy, build one with the CSP policy builder; to dig into caching specifically, the HTTP cache decoder.
Common use cases
- Security audits — spot missing HSTS, CSP, or frame protections.
- Cache debugging — understand why a response is or is not cached.
- Learning headers — get a plain-English read on unfamiliar header names.
- Pre-launch checks — review a site's headers before going live.
- Catching conflicts — find directives that contradict each other.