HTTP Header Parser | Inspect Request & Response Headers

EncodingRuns in Your Browser (No Uploads)

Parse raw HTTP request or response headers into a normalized, readable summary with duplicate detection and cache, security, CORS, and content header groups.

What to do next

Continue with a related workflow or open the next tool that usually follows this task.

How to Use This Tool

Paste raw HTTP request or response headers into the input.

Review the normalized header list and skipped-line warnings.

Check duplicate header names such as Accept or Set-Cookie.

Use the grouped summary to inspect cache, security, CORS, and content headers.

Copy or download the normalized output for debugging notes.

When to Use This Tool

Cache Debugging

Inspect cache-control, etag, expires, vary, and age headers before debugging stale API or CDN responses.

CORS Troubleshooting

Check CORS response headers before testing a frontend request that fails in the browser.

Security Header Review

Review HSTS, CSP, frame, content-type, and referrer-related headers while preparing deployment checks.

API Debugging Notes

Normalize copied request headers from DevTools or curl when documenting API issues.

Common Mistakes

Pasting only the response body

Header analysis needs the status line and header block, not just HTML or JSON content. Copy the response headers from DevTools or curl.

Ignoring duplicate headers

Set-Cookie and cache-related headers can appear more than once. Check duplicates before deciding whether a server or proxy is misconfigured.

Mixing request and response headers

Request headers describe what the browser sent; response headers describe what the server returned. Keep them separate when debugging caching, CORS, or security issues.

Examples

Inspect response headers

Input
HTTP/1.1 200 OK
content-type: application/json
cache-control: public, max-age=3600
strict-transport-security: max-age=31536000; includeSubDomains
Output
Start line: HTTP/1.1 200 OK
Total headers: 3
Cache headers: cache-control
Security headers: strict-transport-security

Find duplicate request headers

Input
GET /api/users HTTP/1.1
Host: api.example.com
Accept: application/json
Accept: text/plain
Output
Start line: GET /api/users HTTP/1.1
Duplicate header names: 1
Normalized headers:
host: api.example.com
accept: application/json
accept: text/plain

How HTTP Header Parsing Works

The parser recognizes HTTP request and response start lines before reading name/value header pairs.

Header names are grouped case-insensitively while original values are preserved.

Repeated header names are reported as duplicates instead of being overwritten.

Continuation lines are folded into the previous header value for readable output.

Malformed lines are skipped with warnings so a partial log still produces useful results.

Frequently Asked Questions

Can I paste a full response header block?

Yes. Paste the status line and header block from DevTools, curl, a CDN log, or an API client. The parser keeps the start line and normalizes the headers below it.

Are my headers sent to a server?

No. Everything runs locally in your browser. The tool does not fetch URLs, upload headers, or store inspected values.

Does this check security headers?

It highlights common cache, CORS, content, request, response, and security header groups. These are inspection hints, not a complete security audit.

Related workflow guides

Use these focused guides when you need a practical workflow before opening the tool.

Related Tools

Explore more developer tools

Browse All Tools