HTTP Header Analyzer Documentation

Everything you need to know about HTTP security and performance headers

What Are HTTP Headers?

HTTP headers are metadata sent between a client (browser) and server with every request and response. They control security policies, caching behavior, content types, and more.

Example HTTP Response Headers:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=3600
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'

Security Headers

1. Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS connections, preventing man-in-the-middle attacks.

Recommended Configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

max-age=31536000 - Enforces HTTPS for 1 year
includeSubDomains - Applies to all subdomains
preload - Eligible for browser preload lists

2. Content-Security-Policy (CSP)

Prevents cross-site scripting (XSS) and other code injection attacks by controlling which resources can load.

Basic Configuration:

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'

Important

CSP is complex and can break your site if misconfigured. Start with report-only mode and test thoroughly.

3. X-Frame-Options

Prevents clickjacking attacks by controlling whether your site can be embedded in iframes.

Options:

X-Frame-Options: DENY - Never allow framing

X-Frame-Options: SAMEORIGIN - Allow same-origin framing

4. X-Content-Type-Options

Prevents MIME-type sniffing attacks by forcing browsers to respect declared content types.

X-Content-Type-Options: nosniff

5. Other Security Headers

Referrer-Policy

Controls referrer information sent with requests

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Controls browser features and APIs

Permissions-Policy: geolocation=(), microphone=(), camera=()

Performance Headers

Cache-Control

Optimizes caching behavior to reduce server load and improve load times.

Examples:

Cache-Control: public, max-age=31536000, immutable - Static assets

Cache-Control: private, max-age=3600 - User-specific content

Cache-Control: no-cache - Always revalidate

Content-Encoding

Enables compression to reduce bandwidth usage and improve load times.

Content-Encoding: gzip or br (Brotli)

CORS Configuration

Cross-Origin Resource Sharing (CORS) headers control which domains can make requests to your API.

Common CORS Headers:

Access-Control-Allow-Origin: https://example.com

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Access-Control-Allow-Headers: Content-Type, Authorization

Security Warning

Never use Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. This is a major security vulnerability.

How to Implement

Nginx

# Add to your server block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'" always;

# Enable gzip compression
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml;

Apache (.htaccess)

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

Node.js / Express

const helmet = require('helmet');

app.use(helmet({
  strictTransportSecurity: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true
  },
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"]
    }
  }
}));

Testing Your Headers

After implementing security headers, test them thoroughly:

Our Tool

Use our HTTP Header Analyzer for instant analysis and recommendations

Analyze Headers

Browser DevTools

Press F12 → Network tab → Click any request → Headers tab to inspect response headers

Best Practices

✓Start with HTTPS: Security headers only work effectively over HTTPS
✓Test in staging first: Some headers can break functionality if misconfigured
✓Use CSP report-only mode: Monitor violations before enforcing policies
✓Regular audits: Check headers quarterly to ensure they're still optimal
✓Monitor logs: Watch for CSP violations and CORS errors in production

Analyze Your Headers Now