Developer Utilities · Free tool
HTTP Header Explainer
Paste raw headers — get plain-English meanings and security implications for each Cache-Control, CSP, HSTS.
Updated April 2026
Cache-Controlpublic, max-age=3600
MeaningDirectives for caching in browsers and intermediate caches.
Securityprivate prevents shared caches from storing; no-store for sensitive responses.
Content-Security-Policydefault-src 'self'; script-src 'self' https://cdn.example.com
MeaningWhitelist of allowed sources for scripts, styles, images, etc.
SecurityStrong defense against XSS. Avoid 'unsafe-inline' / 'unsafe-eval'.
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
MeaningForces HTTPS for the given max-age.
SecurityUse includeSubDomains + preload for maximum coverage once you’re all-HTTPS.
X-Frame-OptionsDENY
MeaningLegacy clickjacking control: DENY / SAMEORIGIN.
SecuritySuperseded by CSP frame-ancestors, but still respected by old browsers.
X-Content-Type-Optionsnosniff
Meaningnosniff disables MIME-type sniffing.
SecurityPrevents browsers from executing non-script files as scripts.
Referrer-Policystrict-origin-when-cross-origin
MeaningControls the Referer header sent on navigation.
Securitystrict-origin-when-cross-origin is the modern default.
Permissions-Policygeolocation=(), camera=()
MeaningGates access to powerful browser APIs (camera, geolocation, etc).
SecurityDisable features you don’t use to shrink attack surface.
Set-Cookiesession=abc123; HttpOnly; Secure; SameSite=Lax
MeaningSets a cookie on the client.
SecurityAlways set HttpOnly + Secure + SameSite on session cookies.
Found this useful?Email
Advertisement
What it does
Decode raw HTTP headers with security-relevant context for each.
Runs entirely in your browser — no upload, no account, no watermark. For more tools in this category see the full tools index.
How to use it
- Paste response headers.
- Read explanations.
- Fix risky settings.
Advertisement