Request Header Inspector

Paste a raw HTTP header block — get a grouped table with per-header explanations, a security audit (HSTS, CSP, CORS wildcards, X-Content-Type-Options), and auth/cookie value redaction by default.

Runs 100% client-side
Copy output
On this page5 sections

HOW TO USE

  1. 01Paste a raw HTTP header block (from curl -I, DevTools Copy as Headers, or a proxy intercept).
  2. 02Read the per-header 'What it does / QA note' breakdown and the PASS/WARN/FAIL security findings.
  3. 03Toggle 'Mask auth / cookie values' to keep tokens out of screenshots.
  4. 04Copy the findings as Markdown for a bug report.

Try it

Paste a response header block to audit HSTS, CSP, and X-Content-Type-Options

WHEN TO USE

Use when you have a raw HTTP header block — from a curl -I output, browser DevTools Copy as Headers, a proxy intercept, or an API response — and need to understand what each header does, spot security misconfigurations (missing HSTS, CSP, X-Content-Type-Options), or check CORS settings without sending the headers to a third-party service. All parsing is client-side; paste confidently.

WHAT BUGS THIS FINDS

  • Missing HSTS on HTTPS endpoints

    No Strict-Transport-Security means the browser won't enforce HTTPS on return visits — MITM downgrade attacks remain possible.

  • CORS wildcard on credentialled endpoints

    Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true is invalid per spec and blocks requests — often causes 'CORS error' that's hard to diagnose without inspecting the headers.

  • Missing X-Content-Type-Options

    Without nosniff, browsers may MIME-sniff uploaded files — a renamed .html served as image/png could execute as HTML in older browsers.

  • No CSP header

    A missing Content-Security-Policy leaves the page open to XSS via injected scripts — the header should be present even if set to a permissive initial value.

QA USE CASES

01

Audit a response for security headers

Paste the response headers from the endpoint under test — get instant PASS/WARN/FAIL findings for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and CORS wildcards.

02

Debug a CORS failure

Paste the preflight OPTIONS response headers — see exactly which Access-Control-Allow-* header is absent or misconfigured.

03

Inspect auth headers before filing a bug

Paste request headers with redaction ON — confirm the Authorization value is present (masked) without exposing your token in a screenshot.

04

Understand an unfamiliar header

Paste any header block and use the per-header 'What it does / QA note' column to learn what each directive means.

05

Verify caching directives

Paste a response with Cache-Control headers to confirm no-store is set on sensitive endpoints (auth, account, payment).

Related