Debug HTTP responses in seconds. CORS policies, CSP directives, security headers, redirect chains, cache behavior โ analyzed, graded, and explained. Just type a domain above.
CORS Analysis
Preflight simulation, origin reflection detection, wildcard+credentials checks, fix suggestions with server configs.
CSP Evaluation
Directive parsing, bypass detection, unsafe-inline/eval checks, missing directive warnings. AโF grading.
Security Headers
HSTS, XFO, XCTO, Referrer-Policy, Permissions-Policy, COOP, COEP. Preload eligibility check.
Redirect Chain
Follow up to 20 hops with per-hop timing. Detect loops, mixed-content downgrades, unnecessary redirects.
Cache Behavior
Cache-Control parsing, effective TTL, Vary implications, CDN detection from response headers.
Error Decoder
Paste a CORS error from your browser console. Get the diagnosis, the fix, and the headers you need.
# Full scan
$ curl preflight.lol/example.com
# CORS only
$ curl preflight.lol/example.com/cors
# Simulate a CORS request
$ curl -X POST preflight.lol/cors -d '{"target":"https://api.example.com","origin":"https://app.example.com"}'
# Decode a browser CORS error
$ curl -X POST preflight.lol/error -d '{"error":"No Access-Control-Allow-Origin header..."}'
$ curl preflight.lol/example.com
# CORS only
$ curl preflight.lol/example.com/cors
# Simulate a CORS request
$ curl -X POST preflight.lol/cors -d '{"target":"https://api.example.com","origin":"https://app.example.com"}'
# Decode a browser CORS error
$ curl -X POST preflight.lol/error -d '{"error":"No Access-Control-Allow-Origin header..."}'