Parse raw HTTP request or response headers into a normalized, readable summary with duplicate detection and cache, security, CORS, and content header groups.
Continue with a related workflow or open the next tool that usually follows this task.
Use this workflow when encoded query strings look readable in parts, fail authentication, or return unexpected 400/404 errors.
OpenRelated toolGenerate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.
OpenRelated toolDecode JWT header, payload, claims, and expiration locally.
OpenRelated toolEncode or decode query strings, redirects, and URL components locally.
OpenPaste raw HTTP request or response headers into the input.
Review the normalized header list and skipped-line warnings.
Check duplicate header names such as Accept or Set-Cookie.
Use the grouped summary to inspect cache, security, CORS, and content headers.
Copy or download the normalized output for debugging notes.
Inspect cache-control, etag, expires, vary, and age headers before debugging stale API or CDN responses.
Check CORS response headers before testing a frontend request that fails in the browser.
Review HSTS, CSP, frame, content-type, and referrer-related headers while preparing deployment checks.
Normalize copied request headers from DevTools or curl when documenting API issues.
HTTP/1.1 200 OK
content-type: application/json
cache-control: public, max-age=3600
strict-transport-security: max-age=31536000; includeSubDomainsStart line: HTTP/1.1 200 OK
Total headers: 3
Cache headers: cache-control
Security headers: strict-transport-securityGET /api/users HTTP/1.1
Host: api.example.com
Accept: application/json
Accept: text/plainStart line: GET /api/users HTTP/1.1
Duplicate header names: 1
Normalized headers:
host: api.example.com
accept: application/json
accept: text/plainThe parser recognizes HTTP request and response start lines before reading name/value header pairs.
Header names are grouped case-insensitively while original values are preserved.
Repeated header names are reported as duplicates instead of being overwritten.
Continuation lines are folded into the previous header value for readable output.
Malformed lines are skipped with warnings so a partial log still produces useful results.
A. Yes. Paste the status line and header block from DevTools, curl, a CDN log, or an API client. The parser keeps the start line and normalizes the headers below it.
A. No. Everything runs locally in your browser. The tool does not fetch URLs, upload headers, or store inspected values.
A. It highlights common cache, CORS, content, request, response, and security header groups. These are inspection hints, not a complete security audit.
Use these focused guides when you need a practical workflow before opening the tool.
Use this workflow when encoded query strings look readable in parts, fail authentication, or return unexpected 400/404 errors.
Workflow guideUse this workflow when a CSP blocks expected browser behavior, allows risky sources, or needs a readable review before a deployment change.
Workflow guideUse this workflow when a browser request, API response, redirect, or CDN cache behaves differently than expected and you need a clean header-level view first.
Workflow guideUse this workflow when a bug report, test failure, or production log includes a large JSON payload and you need to isolate request IDs, statuses, pagination links, or nested error fields.
Workflow guideUse this workflow before a release when you need to confirm that response headers include practical browser security signals without sending internal URLs to a remote scanner.
Workflow guideUse this workflow when copied logs or API payloads contain mixed epoch values and you need to understand what happened when before changing application code.
Workflow guideUse this workflow when copied logs contain mixed timestamp units and you need to understand event order, compare server UTC with user-facing local time, or generate readable notes for debugging.
Workflow guideUse this workflow when a URL looks correct in the browser but an app, analytics tool, webhook, or API callback reads different query parameter values.
Explore more developer tools
Generate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.
Decode JWT header, payload, claims, and expiration locally.
Encode or decode query strings, redirects, and URL components locally.
Parse CSP headers into directives and conservative security review hints.
Parse URL query strings into key-value pairs. Decode parameters instantly.
Inspect pasted HTTP response security headers and conservative review hints.
Parse URLs to extract protocol, domain, path, and query parameters. Instant breakdown.
HTTP Header Parser: Paste raw HTTP headers from curl, DevTools, logs, or API clients to normalize values and inspect important header groups locally.
Standard: Processing instructions and options
💡 Live Mode: Results update automatically as you type.