HTTP Request Debugger

Send HTTP requests with custom method, headers, query params, and request body. Inspect the full response — status, timing, size, and headers — right in your browser.

Tips

Requests are proxied through the server to bypass browser CORS restrictions.
Response bodies larger than 512 KB are truncated in the preview pane.
Toggle individual query params or headers on/off without deleting them.
For POST / PUT / PATCH, the Content-Type header is automatically injected unless you set it manually.

HTTP Methods

GETRetrieve a resource without modifying server state. Parameters are sent in the URL. Idempotent & cacheable.

POSTSubmit data to create a new resource. Body carries the payload. Not idempotent — each call may create a new resource.

PUTReplace an entire resource (creates it if it doesn't exist). Idempotent — repeated calls produce the same result.

PATCHPartially update a resource — send only the fields that change. Generally not idempotent.

DELETERemove the specified resource. Idempotent — deleting the same resource multiple times has the same effect.

HEADSame as GET but returns headers only — no body. Useful for checking if a resource exists or validating cache freshness.

OPTIONSAsk the server which methods it supports. Used by browsers as a CORS preflight request.

HTTP Status Codes

Full reference →

2xx Success

200 OK — Request succeeded; response body contains the result.

201 Created — Resource created; Location header points to the new resource.

204 No Content — Success but no response body (common for DELETE).

206 Partial Content — Partial resource returned — used for range requests / resumable downloads.

3xx Redirection

301 Moved Permanently — Resource permanently moved; browsers cache the new URL.

302 Found — Temporary redirect; client should still request the original URL next time.

304 Not Modified — Cache is still valid; client can use the local cached copy.

307 Temporary Redirect — Temporary redirect preserving the original HTTP method (no downgrade to GET).

4xx Client Errors

400 Bad Request — Malformed request syntax or invalid parameters.

401 Unauthorized — Missing or invalid credentials — authentication required.

403 Forbidden — Authenticated but not authorized to access this resource.

404 Not Found — The requested resource does not exist.

405 Method Not Allowed — The HTTP method is not supported for this endpoint.

422 Unprocessable Entity — Well-formed request but failed business validation (common in REST APIs).

429 Too Many Requests — Rate limit exceeded; response usually includes a Retry-After header.

5xx Server Errors

500 Internal Server Error — Unexpected server-side failure; check server logs.

502 Bad Gateway — Upstream server returned an invalid response (common behind reverse proxies).

503 Service Unavailable — Server temporarily unable to handle requests — overloaded or in maintenance.

504 Gateway Timeout — Upstream server did not respond in time.

Common Request Headers

AuthorizationBearer <token> or Basic <base64> — carries credentials for REST API authentication.

Content-TypeTells the server the format of the request body, e.g. application/json or multipart/form-data.

AcceptTells the server which response formats the client understands, e.g. application/json.

Accept-LanguagePreferred language, e.g. en-US,en;q=0.9.

Cache-Controlno-cache bypasses cache; max-age=3600 sets the maximum cache lifetime.

User-AgentIdentifies the client type and version; servers may serve different content per client.

OriginIndicates the request origin for CORS — automatically added by browsers.

CookieSends session cookies when the server uses cookie-based authentication.

X-Request-IDCustom unique request identifier for distributed tracing and log correlation.

Common Response Headers

Content-TypeMedia type of the response body, e.g. application/json; charset=utf-8.

Content-LengthSize of the response body in bytes; useful for showing download progress.

Cache-ControlCaching directives, e.g. no-store (never cache) or public, max-age=86400.

ETagVersion token for the resource; send it back in If-None-Match for cache validation.

Last-ModifiedTimestamp of the last resource change; used with If-Modified-Since for conditional requests.

LocationRedirect target for 301/302, or the URL of the newly created resource for 201.

Access-Control-Allow-OriginCORS header specifying which origins may access the resource; * means any origin.

Strict-Transport-SecurityHSTS — instructs browsers to use HTTPS for all future requests to this domain.

X-RateLimit-RemainingNumber of requests remaining in the current rate-limit window.

Retry-AfterOn 429/503, tells the client how long to wait before retrying (seconds or HTTP date).