HTTP Header Parser/ Decode & Explain
Paste HTTP response headers to decode and explain each field grouped by category.
Did this tool solve your problem?
Frequently Asked Questions
How do I get the HTTP response headers for a website?
In Chrome/Firefox, open DevTools (F12) → Network tab → click any request → Headers tab → copy the Response Headers section. Alternatively use curl: curl -I https://example.com to print headers only.
What does Cache-Control: max-age=3600 mean?
It instructs browsers and intermediate caches to store the response for up to 3600 seconds (1 hour). After that, a new request must be made. Combined with ETag or Last-Modified, the cache can validate with the server whether the cached version is still fresh.
What is HSTS and why should I enable it?
HSTS (HTTP Strict Transport Security) via the Strict-Transport-Security header tells browsers to only connect to your site over HTTPS — never HTTP — for a specified duration. This prevents SSL stripping attacks. Once a browser has seen the header, it will refuse plain HTTP connections to your domain.
Why does my API return CORS errors?
CORS errors occur when a browser blocks a cross-origin request because the server's response doesn't include the appropriate Access-Control-Allow-Origin header. The server must explicitly allow the requesting origin, or use * to allow all origins (not suitable for credentialed requests).
What is the difference between ETag and Last-Modified?
Both are cache validation mechanisms. ETag is an opaque token (usually a hash of the content) — more precise. Last-Modified is the date the resource was last changed — simpler but less accurate (can miss sub-second changes). Browsers use them to send conditional requests (If-None-Match / If-Modified-Since) and get a 304 Not Modified response if content hasn't changed.
What does X-Content-Type-Options: nosniff do?
It prevents browsers from MIME-sniffing — guessing a different Content-Type than what the server declared. Without it, a browser might execute a JavaScript file served as text/plain. Always set this header to prevent content injection attacks.