ZeroTool Workbench

HTTP Header Analyzer

Paste raw HTTP request or response headers to inspect security, caching, CORS, content, and auth metadata. 100+ header descriptions with compliance hints. Runs in your browser.

100% Client-Side Your data never leaves your browser Free · No Sign-Up

Related Tools

Cookie String Parser Parse Cookie header strings into a table of name/value pairs. Identifies flags (HttpOnly, Secure, SameSite, Path, Domain, Expires, Max-Age). URL decode toggle. Copy as JSON. 100% client-side. CSP Header Generator Build a Content-Security-Policy header from directives, hosts, hashes, and nonces. Strict-mode templates with report-only fallback, plus Express and Nginx snippets. 100% client-side. HAR File Analyzer Drop a HAR file from your browser DevTools and visualize the request waterfall, status codes, headers, cookies, and bottlenecks. 100% client-side, no upload. HTTP Status Codes Searchable reference for all HTTP status codes (1xx–5xx) with descriptions and use cases. JWT Decoder Decode and inspect JWT header, payload, and signature. Highlights expiry status and timestamp claims. HMAC Generator Generate HMAC signatures using SHA-256, SHA-384, or SHA-512. Hex and Base64 output. Runs entirely in your browser.

How to Use

  1. Paste raw HTTP headers into the text area. You can include the status line or method line as the first line.
  2. Click Analyze. The tool detects request vs response automatically and groups headers by category.
  3. Switch between Categorized, Raw, and JSON tabs to see different views.
  4. Read inline hints on security headers — warnings for misconfiguration, notes for hardening opportunities.
  5. Use Copy JSON to export the parsed result for further automation.

Example: Response with security headers

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control: no-store
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict; Path=/

The analyzer groups Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy under Security. Cache-Control lands in Caching, Content-Type in Content, and Set-Cookie in Cookie. Each card includes a one-line description and any hints — for example, a Set-Cookie without HttpOnly triggers a warning.

Example: CORS preflight

OPTIONS /api/v1/orders HTTP/1.1
Host: api.example.com
Origin: https://app.example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Authorization, Content-Type

This is recognized as a request. The Access-Control-Request-* pair indicates a preflight; the analyzer surfaces the Origin and lists the requested method and headers. Use it alongside the response side to debug CORS handshakes end-to-end.

Categories at a glance

  • Status — the first line (status line or method line).
  • Security — HSTS, CSP, X-Frame-Options, COOP/COEP/CORP, Permissions-Policy, fetch metadata.
  • Caching — Cache-Control, ETag, Vary, Expires, Last-Modified, conditional headers.
  • Content — Content-Type, Content-Encoding, Accept-*, Content-Disposition.
  • CORS — Access-Control-* and Origin.
  • Auth — Authorization, WWW-Authenticate, Proxy-Authenticate.
  • Cookie — Cookie and Set-Cookie.
  • Transport / Range / Proxy / General / Custom — the rest, with X-* unknown headers in Custom.

Compliance hints

Hints are conservative — they highlight obvious misconfiguration, not subjective style. Examples:

  • HSTS max-age below 1 year, or missing includeSubDomains / preload directives.
  • CSP containing ‘unsafe-inline’ or ‘unsafe-eval’.
  • Set-Cookie without HttpOnly or Secure flags.
  • Access-Control-Allow-Credentials: true paired with a wildcard origin (spec-illegal).
  • Cache-Control combining no-store with max-age (dead weight).

Related tools on ZeroTool

FAQ

Does this tool send my headers to a server?

No. Parsing and analysis run entirely in your browser via inline JavaScript. Nothing is uploaded. Paste sensitive Authorization tokens, Set-Cookie strings, or production headers without worry.

Can it fetch headers from a URL?

No — by design. URL fetching requires a backend and opens the door to abuse. Paste headers from curl -I, fetch -v, browser DevTools Network panel, or any HTTP client instead. The analyzer is the second step; capture is the first.

How does it detect request vs response?

It reads the first line. HTTP/x.x followed by a status code is a response. A method (GET, POST, …) followed by a path and HTTP/x.x is a request. If neither matches, the input is treated as header-only and all lines are parsed as headers.

What security headers does it check?

It flags presence and configuration of Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Set-Cookie flags, the Cross-Origin-* family, and CORS Allow-Origin / Allow-Credentials combinations.

How does it handle duplicate headers and folded lines?

Duplicate header names are kept as separate entries in the categorized view and collapsed into JSON arrays in the JSON view. HTTP/1.1 obs-fold lines (those starting with whitespace) are merged into the previous header per RFC 7230.

Can I export the parsed result?

Yes. Click Copy JSON to copy a normalized object. Single-value headers become string values; repeated headers become arrays preserving order. The status line is included under the key _status.