Request Headers Parser

Parse and diagnose HTTP headers and routing signals in your browser. No input is sent to a server. Use it for first-pass observation-gap troubleshooting.

Status

Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.

How to use

Paste Request Headers from DevTools and click “Parse”. It shows a normalized list and summary.

Notes (this tool)

  • Cookie values are omitted (names only).

About this page

What does this tool do?

Paste request headers and normalize them into a name: value list.

Helps you review Cookie and Forwarded-related headers without missing them.

Request headers basics

  • Browsers send many headers with requests.
  • DevTools copy formats can be messy; normalization helps.
  • Header names are case-insensitive.

How to copy from Chrome DevTools

  • Network → select request → Headers → copy Request Headers
  • If formatting breaks, use this tool to normalize for sharing
  • Always review sensitive values (Cookie/Authorization) before sharing

Typical use cases

  • Troubleshoot missing cookies
  • Check prerequisite headers like Origin/Authorization
  • Inspect Forwarded headers behind VPN/Proxy/CDN

Output

  • Normalized header list
  • Cookie key list (values omitted)
  • Extract Forwarded/X-Forwarded-For/X-Real-IP

For “cookie not sent” issues, first confirm whether cookie names appear in the Cookie header, then consider SameSite/Domain/Path/Secure/HttpOnly conditions.

  • Mixing Authorization and Cookie (which one is used)
  • SameSite affecting cross-site/subdomain flows
  • Secure cookies won’t be sent over HTTP

Reading Forwarded headers

Forwarded/X-Forwarded-For are typically added by proxies/load balancers. It’s risky to trust them without a defined trusted-proxy boundary.

  • Multiple IPs may represent a chain of hops
  • Behind CDNs, REMOTE_ADDR can be the CDN edge

Common pitfalls

  • Sharing full cookie values (security risk)
  • Parsing breaks due to blank lines or wrapping
  • Missing duplicated header names

Security & privacy notes

Request headers can include sensitive data. Mask/remove it before sharing.

  • Do not share Cookie / Authorization / X-API-Key
  • This tool runs locally and does not send input
  • HTTP Header Parser: parse response headers
  • Cookie Inspect: parse Set-Cookie (server side)
  • CORS Checklist: troubleshooting guide

What this tool does

  • Normalize and list headers
  • Extract cookie keys
  • Summarize Forwarded headers

Debugging workflow (recommended)

  • Paste actual headers or observed values
  • Compare expected and observed values
  • Trace proxy, CDN, and redirect paths

Operational notes

  • Intermediaries may rewrite headers. Compare captures from equivalent points.
  • Confirm final decisions with server logs and configuration such as trusted proxy and routing.

Referenced specs

  • RFC 9110 (HTTP Semantics)
  • RFC 7239 (Forwarded)

FAQ

What format should I paste?

Paste the text copied from DevTools Request Headers.

Can it show cookie values?

For safety, it lists cookie names only (values omitted).

Does header name casing matter?

HTTP header names are case-insensitive.

Can I use this for third-party sites?

Yes. Since it parses pasted headers copied from DevTools, it works for any site.

References

  1. RFC 9110
  2. RFC 7239
  3. MDN: Cookie

These links are generated from site_map rules in recommended diagnostic order.

  1. Set-Cookie Builder — Build Set-Cookie headers with attributes
  2. Request/Response Diff — Compare header differences between request and response
  3. Content-Type Inspect — Parse Content-Type and inspect MIME/charset
  4. Cookie Inspect — Parse Set-Cookie attributes and spot misconfigurations