Does the tool make any HTTP request?

No. You paste headers manually (from curl -I or DevTools). The tool never makes outbound calls.

Which headers are explained?

Cache-Control, CSP, HSTS, Set-Cookie, Authorization (Bearer/JWT), X-Frame-Options, ETag, Vary, and most common headers.

Is CSP broken down by directive?

Yes, every directive is listed with its sources. Risky tokens like 'unsafe-eval' are flagged.

Does the tool make any HTTP request?

No. You paste headers manually (from curl -I or DevTools). The tool never makes outbound calls.

Which headers are explained?

Cache-Control, CSP, HSTS, Set-Cookie, Authorization (Bearer/JWT), X-Frame-Options, ETag, Vary, and most common headers.

Is CSP broken down by directive?

Yes, every directive is listed with its sources. Risky tokens like 'unsafe-eval' are flagged.

🇬🇧WebFileTools/HTTP Headers Decoder

Blog 🇫🇷 French

🇬🇧WebFileTools/HTTP Headers Decoder

Blog Status Reviews Patch Notes

HTTP Headers Decoder

Paste your headers, every field is explained directive by directive. No outbound calls.

Paste headers (curl -I, DevTools…)

Content-TypeL2

text/html; charset=utf-8

MIMEtext/html; charset=utf-8

Cache-ControlL3

public, max-age=3600, must-revalidate

public

May be cached by any cache (proxies included).

max-age3600

Cache for 3600 seconds (~1h).

must-revalidate

Stale responses must not be served without revalidation.

Strict-Transport-SecurityL4

max-age=31536000; includeSubDomains; preload

max-age31536000

~365d

includeSubDomains

preload

Content-Security-PolicyL5

default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com; style-src 'self' 'unsafe-inline'

default-src'self'

script-src'self' 'unsafe-inline' https://cdn.example.com

⚠️ Risky token detected (unsafe-inline or unsafe-eval)

style-src'self' 'unsafe-inline'

⚠️ Risky token detected (unsafe-inline or unsafe-eval)

X-Frame-OptionsL6

SAMEORIGIN

PolicySAMEORIGIN

Page can only be framed by same-origin pages.

Set-CookieL7

session=abc123; Path=/; Secure; HttpOnly; SameSite=Strict; Max-Age=3600

namesession

valueabc123

path/

secure✓

httponly✓

samesiteStrict

max-age3600

Hardened cookie.

AuthorizationL8

Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkphbmUgRG9lIn0.fake

schemeBearer (JWT)

header{"alg":"HS256","typ":"JWT"}

payload{"sub":"1234","name":"Jane Doe"}

signature(not verified — only structural decode)

JWT decoded — signature NOT verified. Treat as untrusted unless you know the issuer.

ETagL9

"abc123"

ETag"abc123"

VaryL10

Accept-Encoding

vary onAccept-Encoding

You use this tool often? Pro includes files up to 500 MB and priority processing.

Give feedback on this tool

What is HTTP Headers Decoder?

HTTP header parser that explains every field directive by directive: security, caching, cookies, authentication.

How to use this tool?

Paste the header block from curl -I or DevTools — the tool detects each header and renders a readable explanation.

Benefits

No outbound calls
CSP breakdown
Plain-English Cache-Control
Bearer JWT decode
100% browser

Frequently Asked Questions

Does the tool make any HTTP request?: No. You paste headers manually (from curl -I or DevTools). The tool never makes outbound calls.
Which headers are explained?: Cache-Control, CSP, HSTS, Set-Cookie, Authorization (Bearer/JWT), X-Frame-Options, ETag, Vary, and most common headers.
Is CSP broken down by directive?: Yes, every directive is listed with its sources. Risky tokens like 'unsafe-eval' are flagged.

Similar Tools

🌐

CIDR Calculator

Compute network, broadcast, hosts, subnet mask and subnet splits from a CIDR notation. IPv4 + IPv6, with membership checker.

Use →

🔁

curl Command Builder

Build a curl command visually then export to fetch JS, axios or Python requests. Reverse-imports an existing curl command.

Use →

📜

Certificate Decoder

Inspect X.509 certificates, CSRs and PEM private keys: subject, issuer, validity, SANs, fingerprints. 100% browser, no upload.

Use →

What is HTTP Headers Decoder?

HTTP header parser that explains every field directive by directive: security, caching, cookies, authentication.

How to use this tool?

Paste the header block from curl -I or DevTools — the tool detects each header and renders a readable explanation.

Benefits

No outbound calls
CSP breakdown
Plain-English Cache-Control
Bearer JWT decode
100% browser

Frequently Asked Questions

Does the tool make any HTTP request?: No. You paste headers manually (from curl -I or DevTools). The tool never makes outbound calls.
Which headers are explained?: Cache-Control, CSP, HSTS, Set-Cookie, Authorization (Bearer/JWT), X-Frame-Options, ETag, Vary, and most common headers.
Is CSP broken down by directive?: Yes, every directive is listed with its sources. Risky tokens like 'unsafe-eval' are flagged.

Similar Tools

🌐

CIDR Calculator

Compute network, broadcast, hosts, subnet mask and subnet splits from a CIDR notation. IPv4 + IPv6, with membership checker.

Use →

🔁

curl Command Builder

Build a curl command visually then export to fetch JS, axios or Python requests. Reverse-imports an existing curl command.

Use →

📜

Certificate Decoder

Inspect X.509 certificates, CSRs and PEM private keys: subject, issuer, validity, SANs, fingerprints. 100% browser, no upload.

Use →