GitHub Pagesツール

無料 HTTPヘッダーパーサー＆解説

生のHTTPレスポンスヘッダーを貼り付けると、各ヘッダーをグループ別にわかりやすく解説します。

ツールを読み込み中...

HTTPヘッダーパーサー＆解説とは

HTTP response headers are metadata sent by the server alongside the page content. They control caching, security, content handling, CORS access, and redirection. Understanding what each header does is essential for debugging page behavior, optimizing performance, and securing a site. This tool parses raw headers and explains each one in plain English.

クイックアンサー

Paste HTTP response headers to get plain-English explanations of each one. Headers are grouped by function (cache, security, CORS, content, redirection). The parser flags missing security headers like HSTS, X-Content-Type-Options, and X-Frame-Options.

制限事項

This parser explains individual headers but cannot verify cross-header consistency or detect all conflicting configurations. Some header interactions require understanding of the full site architecture.
Header names are not case-sensitive per the HTTP spec, but the parser normalizes to lowercase for matching. Unusual header casing or formatting may cause mismatches.
Some proprietary or non-standard headers (X- prefixed headers from specific vendors) may not be recognized. The parser groups unrecognized headers under Other.

使い方

Copy response headers from browser DevTools (Network tab > Response Headers), curl -I output, or server logs.
Paste them into the text area. The tool parses each header, groups them by function, and explains what each one does.
Review the security advisories for any missing security headers and follow the next-steps recommendations.

主な用途

Debug why a page is not caching correctly by reviewing the Cache-Control, ETag, and Expires headers.
Audit a site's security headers to check for missing HSTS, Content-Type-Options, or Frame-Options.
Understand a third-party API response's CORS headers to debug cross-origin fetch failures.

用途

使用例

例

Debugging cache issues

A developer notices pages are not caching. Paste the response headers into the parser. It shows Cache-Control: no-cache which explains the behavior — the browser must revalidate on every request.

例

Security header audit

A site owner pastes their response headers to check security. The parser flags missing Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options headers with remediation advice.

よくあるミス

Pasting request headers instead of response headers — request headers (sent by the browser) have different meanings than response headers (sent by the server).
Overlooking security advisories — missing security headers leave the site vulnerable to well-known attacks that are easy to prevent.
Assuming headers from a CDN or proxy are the same as origin headers — CDNs often add, remove, or modify headers.

検証

Paste the headers from a production URL (not localhost) to get accurate security advisories.
Re-check headers after making server or CDN configuration changes to confirm they are deployed correctly.

FAQ

HTTPヘッダーパーサー＆解説のFAQ

Where do I find HTTP response headers?

In Chrome/Edge DevTools: Network tab > select a request > Headers section > Response Headers. In curl: curl -I https://example.com. In Firefox: Network tab > select request > Headers > Response Headers. In server logs: check your web server's access or debug log configuration.

Why are some security headers missing from my site?

Many web servers and static hosts (including GitHub Pages) do not add security headers by default. You must configure them explicitly through server config, CDN rules, or a _headers file. Some headers like HSTS are not available on GitHub Pages at all and require a CDN in front.