HTTP Header Builder
Build the response headers you actually need without memorizing the syntax. Toggle CORS, Cache-Control and security headers like HSTS, X-Frame-Options and Referrer-Policy, then copy the result as raw HTTP, Nginx or Apache config.
How to build HTTP response headers
- Turn on the sections you need: CORS, Cache, Security or Custom headers.
- Set each value, like an allowed origin, a cache strategy or an HSTS max-age.
- Copy the output as raw HTTP, Nginx add_header or Apache Header set lines.
Examples
Open CORS for a public GET/POST API
cors: origin '*', methods ['GET', 'POST']
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST
Cache static assets for a year
cache: strategy 'immutable', maxAge 31536000
Cache-Control: public, max-age=31536000, immutable
Harden a site with security headers
security: hsts true, frameOptions 'DENY', contentTypeOptions true
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-Content-Type-Options: nosniff
Frequently asked questions
What HTTP headers can this tool build?
CORS headers (Access-Control-Allow-Origin, Methods, Headers, Credentials and Max-Age), Cache-Control with a strategy plus max-age and s-maxage, and security headers including Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. You can also add any custom name and value.
What is the difference between the raw, Nginx and Apache output?
Raw is plain HTTP, one 'Name: Value' line per header, handy for documentation or a framework that sets headers directly. Nginx output wraps each header as add_header Name "Value"; for a server or location block. Apache output uses Header set Name "Value" for a vhost or .htaccess with mod_headers enabled.
Does Access-Control-Allow-Origin: * work with credentials?
No. Browsers reject a wildcard origin when Access-Control-Allow-Credentials is true. If you need credentials, set a single explicit origin like https://example.com instead of *. The builder lets you set both, but the spec requires a specific origin in that case.
What does the HSTS header do?
Strict-Transport-Security tells browsers to only reach your site over HTTPS for the given max-age, which defaults to one year (31536000 seconds) here and includes subdomains. Only enable it once HTTPS is working everywhere, since browsers remember it and will refuse plain HTTP until the max-age expires.
Should I use no-store or no-cache?
no-store tells caches never to keep a copy, which suits sensitive or always-fresh responses. no-cache lets a cache store the response but it must revalidate with the origin before reuse. For cacheable assets, use public or immutable with a max-age instead.
Is my data sent to a server?
No. Every header is assembled entirely in your browser from the options you set, so nothing you type is uploaded or stored anywhere.
Related tools
HTTP Status Codes
Searchable list of HTTP status codes from 1xx to 5xx. Look up any code by number or name and see what 200, 301, 404 and 500 mean.
MIME Type Lookup
Look up the MIME type for any file extension, or find every extension for a MIME type. Covers 120+ common types. Runs in your browser, no upload.
Nginx Config Generator
Build an Nginx server block for static sites, reverse proxies or PHP. Toggle SSL, gzip and body size, then copy or download nginx.conf.
.env to JSON
Convert a .env file to JSON, or JSON back to .env. Parses KEY=value lines, comments, quotes and export. Runs entirely in your browser.
Aspect Ratio Calculator
Calculate aspect ratios fast. Enter a ratio like 16:9 and one dimension to get the other, or enter width and height to simplify the ratio.
Base58 Encoder
Encode and decode Base58 online with the Bitcoin alphabet. Convert text to Base58 or back, UTF-8 safe, no confusing 0 O I l. Runs in your browser.