HTTP Security Header Checker - Online HSTS, CSP, X-Frame Analysis
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
UD5 Toolkit
Test, analyze & debug Cross-Origin Resource Sharing headers in real-time
Live TestingPaste raw response headers (from curl -I or DevTools) to analyze CORS configuration.
*Access-Control-Allow-Origin header. To fix it, configure your server to include this header with either a specific origin (e.g., https://myapp.com) or a wildcard *. Note that * cannot be used with credentials (cookies/authorization). Use this tool to verify the header is present in the response.OPTIONS request sent by the browser before certain cross-origin requests (non-simple requests). It checks with the server whether the actual request is safe to send. Preflight is triggered by non-standard HTTP methods (PUT, DELETE, PATCH), custom headers (like Authorization or X-Custom-Header), or Content-Type values other than application/x-www-form-urlencoded, multipart/form-data, or text/plain.* together with Access-Control-Allow-Credentials: true. If you need to send credentials (cookies, HTTP authentication), you must specify an exact origin in Access-Control-Allow-Origin. Using both is a common configuration mistake that this tool can detect.curl with the -I flag for a HEAD request: curl -I -H "Origin: https://example.com" https://api.target.com/endpoint For preflight simulation: curl -X OPTIONS -H "Origin: https://example.com" -H "Access-Control-Request-Method: POST" https://api.target.com/endpoint Then paste the response headers into the Header Analyzer above.Content-Type: application/json or custom headers trigger a preflight because they fall outside the "simple request" criteria. The browser sends an OPTIONS request first to verify the server permits the actual POST. Ensure your server handles OPTIONS requests properly.X-Rate-Limit, X-Request-ID, or Link), you must list them in Access-Control-Expose-Headers for JavaScript to read them via response.headers.get().Access-Control-Max-Age header controls how long (in seconds) a browser can cache the preflight response. The maximum value in Chrome is 7200 seconds (2 hours), while Firefox supports up to 86400 seconds (24 hours). Setting an appropriate Max-Age reduces unnecessary preflight requests and improves performance. If not specified, browsers use a default of 5 seconds.Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
Start a fetch request and cancel it with AbortController. See how to implement request cancellation. Interactive.
Bypass CORS for testing by routing requests through a local service worker proxy. Debug APIs without server changes. Experimental.
See how to implement file upload progress using both fetch and XHR. Real‑time bar and code snippets for your project.
Paste a cURL command and convert it to a fetch() call in JavaScript, Python requests, or Go net/http. Save time.
Paste raw email headers and see authentication results (SPF, DKIM, DMARC) in a readable table. Find spoofing attempts.
Enter a URL to see exactly what Open Graph and Twitter card tags will be shown when shared on social media. Fetch from browser.
Decode the header and payload of a JSON Web Token (JWT) without verifying the signature. Inspect claims securely on the client side. Great for developers.