HTTP Response Header Analyzer

Paste raw HTTP headers and get a security and caching score with fixes.

Free HTTP response header analyzer. Paste a raw response header block and get a security score for CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and caching, with plain-English explanations. Runs in-browser; no request is made. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Does this tool make a request to the URL?

No. It only parses the header text you paste. It never connects to any server, so it works for internal or authenticated responses you have already captured.

HTTP response headers carry instructions from a server to the browser about security, caching, and content handling. A handful of these headers are the front line against attacks like cross-site scripting, clickjacking, and protocol downgrade. This free analyzer scores a pasted header block so you can see your security posture at a glance — without making any outbound request.

How to capture the headers

You need the raw response header block from the site you want to check. Three ways to get it:

Command line (fastest):

curl -sI https://example.com

Browser dev tools:

  1. Open DevTools → Network tab.
  2. Load the page and click the document request (usually the first one).
  3. Go to the Response Headers panel and copy the header block.

Online proxy (for sites behind auth): Capture the headers from your browser’s Network tab, which includes headers from authenticated sessions that curl cannot reach.

What the analyzer checks

The tool splits your input into Header-Name: value pairs (case-insensitive, repeated headers comma-joined) and runs a weighted rubric:

Content-Security-Policy (highest weight)

CSP is the strongest defence against cross-site scripting. The analyzer awards full points when CSP is present and clean, and reduced points if it contains 'unsafe-inline' or 'unsafe-eval' — directives that allow inline scripts and defeat much of CSP’s XSS protection. A missing CSP loses all CSP points.

Strict-Transport-Security (HSTS)

Protects against protocol downgrade and cookie hijacking by telling browsers to only connect over HTTPS. Full points require a max-age of at least ~180 days (about 15,552,000 seconds). Adding includeSubDomains and preload strengthens it further.

X-Content-Type-Options

Must be nosniff to prevent browsers from MIME-sniffing a response away from its declared Content-Type. Without it, a server that accepts user-uploaded files could be exploited by disguising scripts as images.

X-Frame-Options / CSP frame-ancestors

Prevents clickjacking by controlling whether the page may be embedded in an <iframe>. Either X-Frame-Options: DENY or a Content-Security-Policy: frame-ancestors 'none' directive satisfies this check. The CSP form is newer and more flexible.

Referrer-Policy

Controls what URL is sent in the Referer header when a user navigates away from your page. A policy like strict-origin-when-cross-origin avoids leaking full path URLs to third parties while preserving origin for same-site requests.

Permissions-Policy

Restricts which browser features (camera, microphone, geolocation, payment, etc.) the page and any embedded iframes may access. Presence is checked; a policy of () for every feature you do not use is safest.

Cache-Control

Checked for presence only, because correct values depend on the resource. A missing Cache-Control on sensitive endpoints (authenticated pages, API responses) is flagged as a concern.

Server version disclosure

A Server: Apache/2.4.51 (Ubuntu) header advertises your software and version to attackers. The analyzer flags any Server value that appears to include a version string. Prefer Server: Apache or suppress the header entirely.

Reading the score

Each check contributes weighted points; the total becomes a percentage and a letter grade. A perfect score is a guide, not a requirement — Permissions-Policy depends heavily on what features your site actually uses, and some headers like X-Frame-Options have legitimate reasons to be set to ALLOWALL on certain pages. Treat warnings as prompts to review, not mandates to fix blindly.