HTTP header inspector with a security score
Paste the output of curl -I and get every header parsed into a table, plus an analysis of your security headers — HSTS, CSP, X-Content-Type-Options, frame protection, Referrer-Policy, and Permissions-Policy — with a score.
HTTP Header Inspector
Paste response headers and get a parsed table plus a security-header analysis. This is a parser of pasted text — it never fetches URLs, and nothing leaves your browser.
Paste headers above to inspect them.
Know what your server is really sending
Response headers decide far more than caching: they control whether browsers force HTTPS, whether your site can be framed for clickjacking, what scripts are allowed to run, and how much referrer data leaks to third parties. Yet they are invisible in normal use, and a misconfigured proxy or a missing header can silently sit in production for years.
Run curl -I against your endpoint, paste the output here, and every header lands in a clean parsed table. The security analysis then checks the headers that matter — Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, frame protection via X-Frame-Options or CSP frame-ancestors, Referrer-Policy, and Permissions-Policy — and produces a score with a finding for each one that is missing or weak. The analysis runs in your browser; your headers are not uploaded anywhere.
How to inspect your HTTP headers
- 1
Fetch the headers
Run curl -I https://your-site.com in a terminal (or copy headers from your browser's network tab) to get the raw response headers.
- 2
Paste them into the inspector
Paste the output as-is. Each header is parsed into a name/value table, with duplicates and casing handled for you.
- 3
Review the security score
The analyzer scores HSTS, CSP, X-Content-Type-Options, frame protection, Referrer-Policy, and Permissions-Policy, flagging each missing or weak header.
- 4
Fix and re-check
Add the missing headers in your server or CDN config, fetch again with curl -I, and paste the new output to confirm the score improved.
HTTP header inspector FAQ
Is this header checker free?
Yes. It is completely free with no signup and no limits.
Are my headers uploaded anywhere?
No. Parsing and security analysis run in your browser. Headers can reveal internal infrastructure details — they stay on your machine.
Why does the tool ask me to paste instead of fetching the URL?
Browsers cannot freely read response headers from other origins, and fetching server-side would mean sending your URL to us. Pasting curl -I output keeps everything local and works for internal and staging hosts too.
Which security headers does it check?
Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, frame protection (X-Frame-Options or CSP frame-ancestors), Referrer-Policy, and Permissions-Policy.
Is a perfect score the same as a secure site?
No. Security headers are one hardening layer; they do not replace patching, access control, or TLS configuration. Treat the score as a checklist for browser-side protections, not a full audit.
Explore more
Capabilities
By framework
Headers fixed — now watch them stay fixed
AllStak uptime monitoring checks your endpoints around the clock and SSL monitoring warns you before certificates expire — so a config regression or an expiring cert gets caught by a monitor, not by a user.