DevFlow logoDevFlow
ToolsPipelinesExploreDocsPricing
⌘F
DashboardPipeline BuilderAnalytics

Try Pro — Free 7 days

No credit card required

HTTP Headers Analyzer | Security & Caching Check | DevFlow

How to HTTP Headers Analyzer Online

  1. 1

    Paste raw HTTP response headers from browser DevTools (Network tab) or run `curl -I https://yourdomain.com`. Click Analyze or press ⌘↵.

  2. 2

    View your A–F security grade and 0–100 score. The grade reflects the presence and configuration of HSTS, CSP, X-Frame-Options, and other critical headers.

  3. 3

    Check the Security Headers, CORS, Caching, and Information Disclosure sections. Each row shows the header value, status icon, and actionable fix note.

  4. 4

    Fix missing headers by adding them to your Nginx, Apache, or Next.js config. The tool provides recommended values for each header.

  5. 5

    Verify compliance with PCI-DSS, OWASP Top 10, and GDPR Article 32. The tool flags missing HSTS and CSP as compliance gaps.

HTTP Headers Analyzer Features

  • ✓

    Instant A–F security grade and 0–100 score, similar to Mozilla Observatory and SecurityHeaders.com but running entirely in your browser.

  • ✓

    HSTS validation: checks max-age, includeSubDomains, and preload directives. Flags missing or misconfigured Strict-Transport-Security.

  • ✓

    Content-Security-Policy (CSP) analysis: parses directives and flags unsafe-inline, unsafe-eval, or wildcard sources that weaken XSS protection.

  • ✓

    X-Frame-Options & X-Content-Type-Options: verifies DENY/SAMEORIGIN and nosniff. Detects Clickjacking and MIME-sniffing risks.

  • ✓

    CORS misconfiguration detection: flags wildcard (*) origins, wildcard with credentials, and other dangerous Access-Control-Allow-* setups.

  • ✓

    Information disclosure flags: identifies Server, X-Powered-By, X-AspNet-Version, and X-Runtime headers that leak fingerprints.

  • ✓

    Caching analysis: parses Cache-Control directives, ETag, and Last-Modified for performance optimization.

  • ✓

    PCI-DSS & GDPR compliance warnings: flags missing security headers as compliance gaps under strict regulatory requirements.

  • ✓

    100% client-side processing: headers are analyzed entirely in your browser. No data sent to external servers — fully private.

  • ✓

    Paste from cURL: paste the output of `curl -I https://example.com` to analyze headers without manual extraction.

  • ✓

    AI-powered explanations: use the built-in AI to explain header configurations and get exact code snippets to fix issues.

  • ✓

    JSON export: export the full analysis result as formatted JSON with ⌘⇧C for CI/CD pipelines and security audits.

  • ✓

    Keyboard shortcuts: ⌘↵ to analyze, ⌘⇧C to copy JSON, ⌘⇧K to clear, ⌘⇧E for examples dropdown.

Frequently Asked Questions

What HTTP security headers should every website have?
The OWASP Secure Headers Project recommends: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. These mitigate XSS, Clickjacking, MIME-sniffing, and information leakage.
What is HSTS and why does it matter?
HTTP Strict-Transport-Security (HSTS) tells browsers to only connect over HTTPS, preventing downgrade and cookie-hijacking attacks. A secure config: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
How is the security grade calculated?
The tool starts at 100. Critical headers (HSTS, CSP) deduct 20 points when missing and 10 when misconfigured. Medium headers (X-Frame-Options, X-Content-Type-Options) deduct 15. Info-leaking headers deduct 5 each.
What does Content-Security-Policy actually prevent?
CSP prevents Cross-Site Scripting (XSS) and data injection by whitelisting allowed sources for scripts, styles, frames, and other content. A restrictive CSP like default-src 'self'; script-src 'self' https://trusted-cdn.com dramatically reduces the attack surface.
Why is wildcard CORS (*) dangerous?
Setting Access-Control-Allow-Origin to '*' allows any website to make requests to your API. Worse: setting '*' with Access-Control-Allow-Credentials: true — browsers block this, but it's a sign of a misconfigured policy that may be bypassed.
Should I remove the Server header?
Yes. Server headers (like Apache/2.4.41 or nginx/1.18) and X-Powered-By (PHP/7.4, Express) leak your exact technology stack and version. This makes it easier for attackers to target known vulnerabilities. Remove them in production.
How do I add these headers in Nginx?
Add to your server block: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always; add_header Content-Security-Policy "default-src 'self'" always; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy strict-origin-when-cross-origin always;
How do I add headers in Apache?
In your .htaccess or vhost: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"; Header always set Content-Security-Policy "default-src 'self'"; Header always set X-Frame-Options "DENY"; Header always set X-Content-Type-Options "nosniff"; Header always unset Server;
Does this tool work offline?
Yes. Once loaded, the HTTP Headers Analyzer works entirely in your browser. No network requests are made to analyze headers — everything runs client-side in JavaScript.
What is the difference between this tool and Mozilla Observatory?
Mozilla Observatory requires a URL and fetches headers server-side. DevFlow's HTTP Headers Analyzer lets you paste any raw headers (from any source), analyze at your own pace, and works offline. Both give letter grades but DevFlow also covers CORS misconfiguration and info-disclosure in detail.
How do I remove X-Powered-By in Express/Node.js?
Use the helmet middleware: app.use(helmet.hidePoweredBy()). Or set the header manually: res.removeHeader('X-Powered-By').
What are Permissions-Policy and Referrer-Policy headers?
Permissions-Policy (formerly Feature-Policy) controls browser features available to your page (geolocation, camera, microphone). Referrer-Policy controls how much referrer info is sent with requests. Both reduce fingerprinting surface and should be set to restrictive values.

Related Developer Tools

  • cURL to Code ConverterConvert cURL commands to code in 12+ programming languages instantly.
  • IP LookupLook up geolocation, network, and security details for any IP address.
  • DNS LookupLook up DNS records for any domain — A, AAAA, MX, TXT, NS, SOA, SRV, CAA, and more.
  • JSON FormatterPrettify, minify, and validate JSON data instantly.
  • Tech Stack DetectorDetect frameworks, libraries, and technologies used by any website.