HTTP Header Viewer

HTTP headers are key-value pairs sent with every request and response. They convey metadata: content type, caching rules, authentication, CORS policy, and security directives. Request headers describe what the client wants (Accept, User-Agent) and provide credentials (Authorization, Cookie). Response headers describe the body (Content-Type, Content-Length), caching (Cache-Control, ETag), and security (Strict-Transport-Security, Content-Security-Policy).

Inspecting headers helps developers debug API responses, verify security configuration, understand caching behavior, and troubleshoot CORS issues. This tool lets you view headers from the current page or any CORS-enabled URL.

When JavaScript fetches a URL from a different origin, the browser applies CORS. By default, only a limited set of response headers is exposed to JavaScript. Servers can use Access-Control-Expose-Headers to allow reading custom headers like X-Request-Id or X-RateLimit-Remaining. If a cross-origin server doesn't send this header, you'll only see the safe-listed headers. For full inspection of any site, use the browser's Network tab in DevTools, which shows all headers regardless of CORS.

Content-Type specifies the body format (text/html, application/json). Cache-Control controls caching (max-age, no-cache, immutable). Security headers include X-Content-Type-Options: nosniff, X-Frame-Options, Strict-Transport-Security, and Content-Security-Policy. CORS headers (Access-Control-Allow-Origin, etc.) control cross-origin access. Set-Cookie configures cookies with HttpOnly, Secure, and SameSite. The reference section below lists 20 common headers with brief descriptions.