How to use the HTTP Headers Parser & Builder
Paste raw HTTP request or response headers — copied from Chrome DevTools, curl -v, an API client, a proxy log, or a Postman request — and inspect them as a clean, sortable grid. Spot duplicates, audit CORS preflight values, decode auth headers, see cookie attributes, normalize casing, and export to JSON for fetch / Axios. Useful when debugging a 401, a CORS failure, or a caching issue. Runs locally; headers are never uploaded.
What it does
- Parses raw header text (any line endings, any casing).
- Grid view with sortable, editable rows; per-header notes for well-known names.
- Flags duplicates and shows which copy is used.
- Highlights CORS fields, auth headers, cookies, cache directives.
- Decodes Bearer JWTs inline (use the JWT Decoder for a full breakdown).
- Exports headers as JSON for use in fetch / Axios, or as a cURL
-H string.
- Builder mode: type key / value pairs and produce a clean header block.
When to use it
- Debugging a CORS preflight failure — confirm the
Access-Control-* set.
- Compare request headers sent by two clients to find a discrepancy.
- Convert DevTools-copied headers into a JSON object for fetch or Axios.
- Spot a duplicate
Content-Type or Authorization added by middleware.
- Audit a
Set-Cookie response for Secure, HttpOnly, SameSite.
- Build a clean header block for an API integration.
How to use it
- Copy headers from Chrome DevTools (Network → Headers → "view source") or from
curl -v.
- Paste into the parser — the grid renders with annotations and duplicate warnings.
- Sort, edit, or delete rows; toggle case-normalize.
- Export as JSON (for fetch / Axios), cURL flags, or raw header text.
- For a full security audit, send to the HTTP Security Headers Analyzer.
Tips & pitfalls
- HTTP header names are case-insensitive (RFC 7230), but some servers, proxies, and SDKs still treat them as case-sensitive — normalize when in doubt.
- CORS preflight responses need both
Access-Control-Allow-Origin and Access-Control-Allow-Methods — check both.
- Duplicate
Content-Type or Authorization from middleware is a common source of mysterious failures.
- A
Set-Cookie without Secure and HttpOnly is a security smell.
Cache-Control: no-store is stricter than no-cache — make sure your intent matches.- For security scoring of a complete response, use the Security Headers Analyzer.
FAQ
- How do I parse HTTP headers online? Paste the raw header text — the parser produces a sortable grid with duplicate warnings.
- How do I convert headers to JSON for fetch? Use the JSON export — the output is ready to drop into the
headers: option.
- What is a CORS preflight? An
OPTIONS request the browser sends before a "non-simple" cross-origin request, to verify the server allows it.
- Why is my
Authorization header missing? Often: lost during a CORS preflight (server didn't include it in Access-Control-Allow-Headers) or stripped by a proxy.
- Are my headers uploaded? No. Parsing runs in your browser; nothing is sent to a server.
- How do I check security headers? Use the HTTP Security Headers Analyzer for a graded audit with CSP, HSTS, cookies, and platform-specific fix snippets.
Runs locally in your browser. No uploads. For a security audit, hand off to the HTTP Security Headers Analyzer.
