HTTP Header Checker
Paste the raw output of `curl -I` or DevTools' Headers tab. Parses every header (including obs-folded continuations), then audits HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP, Cache-Control, CORS and Set-Cookie. 100% offline.
What is the HTTP Header Checker?
HTTP Header Checker parses the raw text of any HTTP response (status line optional) into a structured list of headers, then runs a curated audit across the four areas that matter day-to-day. Security: HSTS (max-age, includeSubDomains, preload), Content-Security-Policy (presence of `unsafe-inline`/`unsafe-eval`, default-src), X-Frame-Options or CSP frame-ancestors, X-Content-Type-Options (`nosniff`), Referrer-Policy, Permissions-Policy, COOP, COEP. Caching: Cache-Control directives, the contradiction of public+private together, max-age over 1 year, the presence of both Expires and Cache-Control, and ETag/Last-Modified for revalidation. CORS: the lethal wildcard-with-credentials combination, missing Vary: Origin when reflecting a specific origin, and wildcard methods/headers with credentials. Content: Content-Type charset, Set-Cookie Secure/HttpOnly/SameSite flags, server-banner leakage. Status codes are flagged at the right severity (5xx errors, 4xx warnings, 3xx redirects with the Location). Nothing is fetched — paste a response you already have.
How to use it
- Run `curl -I https://example.com` or open DevTools → Network → click a request → Headers → copy.
- Paste the response (status line + headers) into the box.
- Read the Findings panel — each entry tells you the severity, the header name and what to do.
- Use the parsed headers table to copy individual headers, or 'Copy input' to share the raw text.
Benefits
- 30+ audits across security, caching, CORS and content headers.
- Catches the wildcard `Access-Control-Allow-Origin: *` + `Allow-Credentials: true` browser-blocking combination.
- Flags missing or weak HSTS (under 6 months), CSP `unsafe-inline`/`unsafe-eval`, missing `nosniff`.
- Detects Set-Cookie missing Secure, HttpOnly or SameSite — common XSS and CSRF risks.
- Warns when Access-Control-Allow-Origin reflects a specific origin but Vary doesn't include `Origin` — caches will serve the wrong response.
- Notices contradictory Cache-Control directives (public + private together).
- Highlights server-banner leakage (Server, X-Powered-By) for fingerprinting hardening.
- Handles obs-fold (RFC 7230 multi-line headers) and case-insensitive header lookups.
- Runs 100% in your browser — nothing is fetched, nothing is uploaded.
Frequently asked questions
Does this tool fetch the URL itself?
No. Toollyz is statically exported with no backend. Paste the headers you already fetched with curl, DevTools or any HTTP client. The browser's same-origin policy would block us from fetching most third-party URLs anyway.
Why is `Access-Control-Allow-Origin: *` with credentials so dangerous?
The Fetch spec explicitly forbids that combination — browsers refuse to send credentials when the response uses the wildcard origin, even if the server allows credentials. The result: every authenticated request from JS fails silently. Always reflect a specific origin instead of using `*`.
What HSTS max-age should I aim for?
At minimum 6 months (15,552,000 seconds). For HSTS preload submission you need at least 1 year (31,536,000), includeSubDomains and preload directives, plus a 301 redirect from http to https on the root domain.
Why does the tool flag `unsafe-inline` in my CSP?
`unsafe-inline` permits any inline `<script>` or `style=` attribute to execute — that's exactly what XSS attackers want. Move to nonces (`'nonce-…'`) or hashes (`'sha256-…'`) for inline content you control.
What's the difference between X-Frame-Options and CSP frame-ancestors?
Both stop your page being embedded in a frame on another site (clickjacking). frame-ancestors is the modern replacement — it supports multiple origins and works in browsers that have started phasing out X-Frame-Options. Set either one.
Why does Vary matter for CORS?
If your server reflects a specific Allow-Origin per request, downstream caches (CDN, browser) might cache the response and serve it back to a different origin — leaking data. Adding `Vary: Origin` tells caches to key the response by the Origin header.
Does it understand HTTP/2 or HTTP/3 pseudo-headers?
It accepts both the classic `HTTP/1.1 200 OK` line and `HTTP/2 200`. Pseudo-headers like `:status` are not parsed — strip them before pasting.
Can I paste only the headers, no status line?
Yes. The status line is optional. If omitted, the status panel just shows `—`.
What's COOP and COEP?
Cross-Origin-Opener-Policy isolates your top-level window from cross-origin opener references — useful for blocking Spectre-style attacks. Cross-Origin-Embedder-Policy is required (along with COOP) to unlock SharedArrayBuffer and high-resolution timers.
Does the tool send my headers anywhere?
No. Parsing runs entirely in your browser via JavaScript. The page is statically exported — there's no Toollyz server to receive your input.
What headers should every production response have?
At minimum: Strict-Transport-Security (≥6 months), Content-Security-Policy (no `unsafe-*`), X-Content-Type-Options: nosniff, Referrer-Policy, Cache-Control, and for any cookie: Secure + HttpOnly + SameSite.
Related tools
See all developer toolsMeta Tag Generator
Open Graph, Twitter and SEO meta with live previews.
Robots.txt Generator
Visual rule blocks, AI-bot presets and a live path tester.
SPF Record Checker
Parse RFC 7208 SPF records — qualifiers, mechanisms, 10-lookup limit.
Email Header Analyzer
Parse raw email headers — SPF, DKIM, DMARC + hop chain timing.