How to use the HTTP Header Analyzer

Get the HTTP response headers from the page you want to audit. In Chrome: open DevTools (F12), Network tab, click any request, scroll to “Response Headers” and copy. Or use curl: `curl -I https://example.com`. Paste into the input box. The analyzer audits status, security headers, caching, compression, and flags information leaks.

Pourquoi cet outil est important

HTTP headers control nearly every aspect of page security, performance, and SEO outside the actual HTML. Missing HSTS allows downgrade attacks. Missing Cache-Control bloats your CDN bill. Missing Content-Encoding makes everything 70% larger over the wire. Information-leaking headers (Server, X-Powered-By) tell attackers exactly which exploits to try. Each fix takes one config change.

Cas d'utilisation courants

• Pre-launch security audit before going live
• Diagnosing why a CDN is not caching properly
• Auditing a client site\u2019s security posture before contract
• Confirming a redirect chain is working as expected
• Identifying technology-disclosure headers that should be removed
• Checking that compression is enabled on a slow-loading page

The headers that matter most

For security: strict-transport-security, content-security-policy, x-frame-options, x-content-type-options, referrer-policy. For performance: cache-control, content-encoding, vary. For SEO: cache-control (longer cache helps Core Web Vitals), x-robots-tag (controls indexing for non-HTML resources), link (canonical, hreflang in headers for non-HTML assets).

Foire aux questions

Where do I get response headers from?
Chrome DevTools → Network tab → click any request → “Headers” → scroll to “Response Headers”. Or run `curl -I URL` for a quick command-line check.

What is HSTS and why does it matter?
Strict-Transport-Security tells browsers to ALWAYS use HTTPS for your domain — blocking downgrade attacks where attackers force HTTP. Once set, browsers refuse HTTP even if the user types it. Always enable on production sites.

Should I hide the Server header?
For security hardening, yes — disclosing “nginx 1.18” tells attackers which CVEs apply. The headers are easy to remove in nginx, Apache, IIS, and most CDNs. Not a critical issue but a free hardening win.

What does X-Robots-Tag in headers do?
It controls indexing for non-HTML resources (PDFs, images, JSON files). You cannot add to a PDF — but you can send `X-Robots-Tag: noindex` as an HTTP header. Useful for keeping internal assets out of search.