What about security? Isn't this SSRF?

**We defend against SSRF**: we block private addresses (**10.x**, **172.16-31.x**, **192.168.x**), loopback (**127.0.0.0/8**, **::1**), link-local (**169.254.0.0/16** - where AWS / Azure / GCP metadata services sit), carrier-grade NAT (**100.64.0.0/10**), IPv6 ULA (**fc00::/7**). The host is **resolved on the server** and every returned IP is checked **before** the fetch (this defends against **DNS rebinding**). Only **http:// and https://** are allowed.

**15 seconds** per request (per hop), **5 MB** response body (anything bigger is truncated), **50 requests per hour** per IP, **10 redirects** max. These limits cover **99% of API debugging**. For huge files use a local curl.

Do you store my requests or responses?

**No**. We don't log URLs, headers, bodies, or responses. The only state in the process is the **per-IP request counter** (for rate limiting), reset every hour or on server restart. **Nothing is persisted to disk**.

What does "TTFB" mean in the timing breakdown?

**Time To First Byte** - time from when the request is sent to when the **first byte of response headers** arrives. High TTFB (>500 ms) = **server is slow to generate the response** (database? cache miss? slow API?). Low (<100 ms) = the server is healthy.

Why don't I see separate TCP connect and TLS handshake times?

Because **Node fetch (undici) doesn't expose them publicly**. We measure: **DNS** separately (via `dns.lookup`), then **TTFB** (fetch start → headers) and **transfer** (headers → body complete). Connect + TLS are **bundled inside TTFB**. For precise numbers use **curl -w "%{time_connect} %{time_appconnect}"** locally.

Can I upload files (multipart/form-data)?

**Partially**. Text fields **yes** (the form-data tab gives you key/value rows). **Binary attachments** are not supported in this version - that would mean uploading files to our server, which we don't want for privacy reasons. For real file uploads, use **curl** locally.

What about gzipped responses?

Servers often respond with **Content-Encoding: gzip** (or br / deflate). We show both sizes: **compressed** (from the `Content-Length` header - bytes on the wire) and **decompressed** (what you get after Node automatically decodes it). The ratio = compression ratio.

What does "blocked: privateHost" mean in the redirect chain?

One of the `Location` headers in the 3xx sequence pointed to a **private address** (e.g. your API backend returned `Location: http://10.0.0.1/admin`). **We stop the chain right there** so we never reach an internal network. Same SSRF guard as for the first URL.

HTTP request tester - free

HTTP request tester

Type a URL, pick a method, add headers, body, auth - click send. The request goes from our server (not from your browser, so CORS won't block). You get the status, response headers, body, full timing and the redirect chain.

Your HTTP request is sent from our server, not from your browser (it bypasses CORS). We don't store the request or the response.

Curl in the browser - no Postman, no CORS

Type a URL, pick GET / POST / PUT, add headers and body - click. The request goes from our server, so CORS doesn't block and you don't need to install Postman.

You get the status code, response headers, body (auto-formatted JSON / XML / HTML), size (compressed + decompressed), set-cookie plus the timing breakdown: DNS / TTFB / transfer.

Great for API debugging: webhooks, OAuth, third-party endpoints, checking cache or CORS headers - without leaving the browser.

How to use it

Pick the method (GET / POST / PUT / PATCH / DELETE / HEAD / OPTIONS) on the top bar.

Paste the target URL (must start with https:// or http://).

In the Headers tab add your own headers (e.g. Accept: application/json, X-API-Key).

In the Body tab pick a format: JSON, form-data, x-www-form-urlencoded or raw. Type the data.

In the Auth tab pick Basic (user + password) or Bearer (token). The Authorization header is built automatically.

Hit Send. On the right you see the status, headers, body, timing and cookies.

Turn on Follow redirects only when you want to see the whole 3xx → 200 chain. Each redirect is re-validated for SSRF before we follow it.

When this is useful

An HTTP request tester solves day-to-day frontend and backend problems:

API debugging. Does the endpoint respond at all? Does it return what the docs promise? One shot, full picture.
CORS that browser fetch can't beat. Your fetch in devtools throws a CORS error? From our server CORS doesn't exist - you see the actual server response, not the browser's wrapper around the error.
Webhook receivers. POST to your own webhook, see what arrives and in what shape.
OAuth / Bearer tokens. Check whether the token is valid - GET /me with Authorization: Bearer ... and read the response.
Basic Auth. Probe endpoints behind Basic (admin panels, legacy APIs).
Performance triage. TTFB too high? Transfer longer than expected? You see it broken down.
Redirect chains. Domain does 3 hops before the page? The hop list shows each one.
Cache header checks. Cache-Control, ETag, Last-Modified - full list of response headers.
OPTIONS preflight. CORS preflight with a real Origin and Access-Control-Request-Method, so you see exactly what your server returns.

Related: catch incoming webhooks in the webhook receiver, stub responses with the mock API generator, or generate request types straight from an OpenAPI spec.

Questions and answers

Because browsers block cross-origin requests (CORS). From our server CORS doesn't apply - it's a regular fetch from Node.js. Plus: some servers return different headers to a browser than to curl/Node (e.g. User-Agent gating), so you see the real response, not the polite one for browsers.

Curl in the browser - no Postman, no CORS

Type a URL, pick GET / POST / PUT, add headers and body - click. The request goes from our server, so CORS doesn't block and you don't need to install Postman.

Great for API debugging: webhooks, OAuth, third-party endpoints, checking cache or CORS headers - without leaving the browser.

How to use it

Pick the method (GET / POST / PUT / PATCH / DELETE / HEAD / OPTIONS) on the top bar.

Paste the target URL (must start with https:// or http://).

In the Headers tab add your own headers (e.g. Accept: application/json, X-API-Key).

In the Body tab pick a format: JSON, form-data, x-www-form-urlencoded or raw. Type the data.

In the Auth tab pick Basic (user + password) or Bearer (token). The Authorization header is built automatically.

Hit Send. On the right you see the status, headers, body, timing and cookies.

Turn on Follow redirects only when you want to see the whole 3xx → 200 chain. Each redirect is re-validated for SSRF before we follow it.

When this is useful

An HTTP request tester solves day-to-day frontend and backend problems:

API debugging. Does the endpoint respond at all? Does it return what the docs promise? One shot, full picture.
CORS that browser fetch can't beat. Your fetch in devtools throws a CORS error? From our server CORS doesn't exist - you see the actual server response, not the browser's wrapper around the error.
Webhook receivers. POST to your own webhook, see what arrives and in what shape.
OAuth / Bearer tokens. Check whether the token is valid - GET /me with Authorization: Bearer ... and read the response.
Basic Auth. Probe endpoints behind Basic (admin panels, legacy APIs).
Performance triage. TTFB too high? Transfer longer than expected? You see it broken down.
Redirect chains. Domain does 3 hops before the page? The hop list shows each one.
Cache header checks. Cache-Control, ETag, Last-Modified - full list of response headers.
OPTIONS preflight. CORS preflight with a real Origin and Access-Control-Request-Method, so you see exactly what your server returns.

Related: catch incoming webhooks in the webhook receiver, stub responses with the mock API generator, or generate request types straight from an OpenAPI spec.

Questions and answers

HTTP request tester

Curl in the browser - no Postman, no CORS

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

Regex tester

JSON formatter

HTTP request tester

Curl in the browser - no Postman, no CORS

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

Regex tester

JSON formatter