Developer Utilities · Free tool
HTTP Header Explainer
Paste raw HTTP headers to get plain-English meanings and security implications for Cache-Control, CSP, and HSTS. A free, instant online developer tool with no signup.
Updated June 2026
Cache-Controlpublic, max-age=3600
MeaningDirectives for caching in browsers and intermediate caches.
Securityprivate prevents shared caches from storing; no-store for sensitive responses.
Content-Security-Policydefault-src 'self'; script-src 'self' https://cdn.example.com
MeaningWhitelist of allowed sources for scripts, styles, images, etc.
SecurityStrong defense against XSS. Avoid 'unsafe-inline' / 'unsafe-eval'.
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
MeaningForces HTTPS for the given max-age.
SecurityUse includeSubDomains + preload for maximum coverage once you’re all-HTTPS.
X-Frame-OptionsDENY
MeaningLegacy clickjacking control: DENY / SAMEORIGIN.
SecuritySuperseded by CSP frame-ancestors, but still respected by old browsers.
X-Content-Type-Optionsnosniff
Meaningnosniff disables MIME-type sniffing.
SecurityPrevents browsers from executing non-script files as scripts.
Referrer-Policystrict-origin-when-cross-origin
MeaningControls the Referer header sent on navigation.
Securitystrict-origin-when-cross-origin is the modern default.
Permissions-Policygeolocation=(), camera=()
MeaningGates access to powerful browser APIs (camera, geolocation, etc).
SecurityDisable features you don’t use to shrink attack surface.
Set-Cookiesession=abc123; HttpOnly; Secure; SameSite=Lax
MeaningSets a cookie on the client.
SecurityAlways set HttpOnly + Secure + SameSite on session cookies.
Advertisement
What it does
Paste a block of raw HTTP response headers (from DevTools’ Network tab, or a curl -v output, or a server log) and the tool annotates each header with what it does, why it’s there, and any security-relevant context. Especially useful for security audits, debugging unexpected browser behavior (CORS, cookies, caching), and learning what each header actually controls.
The explainer covers the headers you actually encounter in production:
- Security headers:
Content-Security-Policy(XSS prevention),Strict-Transport-Security(HTTPS enforcement),X-Frame-Options/frame-ancestors(clickjacking),X-Content-Type-Options: nosniff(MIME sniffing),Permissions-Policy(feature-policy successor),Referrer-Policy. - Caching:
Cache-Control,ETag,Last-Modified,Vary,Age. - CORS:
Access-Control-Allow-Originand related (the family that confuses everyone the first time). - Cookies:
Set-Cookiewith attributes (HttpOnly, Secure, SameSite, Domain, Path, Max-Age). - Compression and content:
Content-Encoding,Content-Type,Content-Length. - Server identification:
Server,X-Powered-By(often security-relevant since they leak software versions).
For each header, the explanation includes both what the header DOES and what risky configurations to watch for (e.g. an overly-permissive CSP, a Cache-Control allowing public caching of authenticated content, a Set-Cookie missing Secure flag).
Embed this tool on your siteShow snippetHide
Paste this snippet into any page. Loads on-demand (lazy), no tracking scripts, and sized to most dashboards. Replace the height to fit your layout.
<iframe src="https://freetoolarena.com/embed/http-header-explainer" width="100%" height="720" frameborder="0" loading="lazy" title="HTTP Header Explainer" style="border:1px solid #e2e8f0;border-radius:12px;max-width:720px;"></iframe>How to use it
- Capture the raw headers from your destination — DevTools → Network → click the request → Headers tab → 'Response Headers'. Or use `curl -I <URL>` for a quick capture.
- Paste the headers into the input. The format is `Name: value\n` per line.
- The annotated output shows each header with its purpose, common values, and security-relevant context.
- Look for warnings — the tool flags risky configurations (missing security headers, weak CSP, public cache for sensitive content, missing cookie attributes).
- For verification, compare against securityheaders.com (independent audit tool that scores your headers A-F).
When to use this tool
- Auditing your own site's HTTP response headers for security and caching correctness.
- Learning what HTTP headers do (the explanations are educational).
- Debugging why a browser behaves unexpectedly (CORS preflight failing, cookies not setting, cache not invalidating).
- Reviewing third-party services' security posture as part of vendor evaluation.
When not to use it
- Request headers — the explainer focuses on response headers (the server's reply). Request headers (Authorization, Accept, User-Agent) work differently and aren't fully covered.
- Request body / payload analysis — this is headers only.
- Rare or vendor-specific headers (custom X- headers from internal services) — those need vendor docs.
- Compliance auditing (PCI, HIPAA) — the tool catches common issues but isn't a substitute for compliance-grade tooling.
Common use cases
- Pre-decision sanity-check on inputs and outputs
- Educational use — demonstrating the underlying concept
- Onboarding a colleague who needs the same calculation/conversion
- Verifying a number or output before passing it on
Frequently asked questions
- What's a 'must-have' security header set?
- Modern minimum: Strict-Transport-Security (HSTS) with at least 1 year, X-Content-Type-Options: nosniff, frame-ancestors in CSP (or X-Frame-Options as fallback), and a Content-Security-Policy with at minimum default-src 'self'. SameSite=Lax on cookies (Strict for the most-sensitive ones). Permissions-Policy to restrict camera/mic/geolocation. Referrer-Policy: strict-origin-when-cross-origin.
- Should I keep the Server header?
- Generally no — `Server: nginx/1.21.0` and `X-Powered-By: PHP/8.1.0` leak version info that attackers can use to find specific exploits. Best practice: hide or generalize them. nginx: `server_tokens off`. Express.js: `app.disable('x-powered-by')`. The information rarely helps anyone except attackers.
- What's the difference between X-Frame-Options and CSP frame-ancestors?
- X-Frame-Options is the older header (2008-era), with three values: DENY, SAMEORIGIN, or ALLOW-FROM (deprecated). CSP frame-ancestors is the newer, more flexible replacement — supports multiple sources, wildcards, and 'self'. Modern browsers prefer frame-ancestors when both are set; older browsers fall back to X-Frame-Options. Best practice: set both.
- Why does the Cache-Control header have so many directives?
- Because caching has many separate concerns: HOW LONG to cache (max-age), WHO can cache (public vs private), WHAT to do when stale (must-revalidate vs stale-while-revalidate), VALIDATION rules (no-cache vs no-store), and proxy-vs-browser cache behavior. The right combination depends on whether the resource is static (public, max-age=31536000, immutable) or per-user (private, no-store) — getting this wrong is the source of countless 'why did my user see stale data' bugs.
- What's a 'good' CSP?
- Strict CSP minimum: `default-src 'self'; object-src 'none'; base-uri 'self'`. From there, allowlist only the third-party origins you actually need (your CDN, analytics, ad networks). Avoid `unsafe-inline` and `unsafe-eval` if at all possible — they defeat the XSS protection. Use nonce-based or hash-based allowing for inline scripts. Test in report-only mode first to find violations before enforcing.
- Why do my CORS preflights fail?
- Several common causes: (1) Access-Control-Allow-Origin is set to a static URL but the request comes from a different one; (2) Access-Control-Allow-Headers doesn't include the custom header (e.g. Authorization) the request uses; (3) Access-Control-Allow-Credentials is missing when cookies need to flow; (4) Access-Control-Allow-Methods doesn't include the request method (e.g. PATCH). The tool's CORS section explains each.
Advertisement
Learn more
Guides about this topic
- Using Our Tools · GuideHow to generate QR codesMake QR codes for URLs, WiFi, vCard, or text. Learn error correction and sizing, then generate your QR code online free with no sign-up in seconds.
- Using Our Tools · GuideHow to create a strong passwordGenerate a strong password instantly online for free. Build high-entropy passphrases following NIST 2026 rules with no download needed.
- Developers & Technical · GuideHow to encode and decode Base64Understand the 3-to-4 mechanic and 33% overhead for standard, URL-safe, and MIME Base64. Free online reference to avoid common mistakes, no download needed.
- Design & Media · GuideHow to choose a color paletteBuild accessible color palettes using HSL theory, monochromatic to triadic schemes, WCAG contrast checks, and dark mode tips. Free, no-download guide.
- Developers & Technical · GuideHow to use JWT tokens securelyImplement secure JWT authentication by choosing RS256, setting expiration, using httpOnly cookies, and preventing 'alg: none' attacks in your browser for free.
- Design & Media · GuideHow to design a faviconCreate favicons that render perfectly from 16×16 to 512×512 with dark mode support. Learn the right HTML tags and web manifest setup free online.
Explore more developer utilities tools
- Port Number LookupSearch over 140 well-known TCP and UDP ports by number or service name. Free online reference tool with no sign-up, covering web, mail, DNS, and more.
- Test Credit Card NumbersReference table of canonical test card numbers from Stripe, Adyen, and Braintree sandbox docs. Plus Luhn validator + network detector.
- IPv6 Expander & ShortenerFormat IPv6 addresses to canonical form, handling zone IDs and prefixes, instantly online—free tool with no registration required.
- Htpasswd GeneratorCreate .htpasswd lines for Apache or nginx basic auth with browser-only SHA hashing instantly. Includes config snippets and a free online tool with no registration.
- Chmod CalculatorCalculate Unix file permissions: octal (755, 644) ↔ symbolic (rwxr-xr-x) ↔ rwx checkboxes. Covers setuid, setgid, sticky bit. With presets.
- Excel Formula ExplainerPaste any formula and get a plain-English breakdown of 60+ functions online free—no sign-up required, in your browser.