HTTP inspector · live request

Every header you just sent.

What your browser (or script, or whatever just hit us) sent in this request. Useful for chasing CDN/proxy weirdness, building scrapers, or confirming what a VPN exposes.

Connection
Transport
HTTPS · TLS (version negotiated by your client — typically 1.3 with Caddy)
Advertises HTTP/3
No

Caddy in front of IPFerret negotiates TLS 1.3 with virtually all modern clients and serves both HTTP/2 and HTTP/3 on the same port. The exact version your client picked is known to the TLS layer but not exposed to Node.js — what we can confirm is whether encryption is on and whether the server advertised QUIC for next time.

Highlights
host
ipferret.com
user-agent
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
accept
*/*
accept-encoding
gzip, br, zstd, deflate
x-forwarded-for
216.73.216.49
x-forwarded-proto
https
All headers (9)
  • accept*/*
  • accept-encodinggzip, br, zstd, deflate
  • hostipferret.com
  • user-agentMozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
  • via2.0 Caddy
  • x-forwarded-for216.73.216.49
  • x-forwarded-hostipferret.com
  • x-forwarded-port3030
  • x-forwarded-protohttps

Need the machine-readable version? GET /api/headers returns the same data as JSON. Authorization, Cookie, and Proxy-Authorization values are redacted on both endpoints.

What's actually here?

  • User-Agent — your browser's self-identification. Don't trust it for security decisions; it's trivial to spoof. Decoded into browser/OS/device on the user-agent tool.
  • Accept / Accept-Language / Accept-Encoding — content negotiation preferences (which MIME types, which languages, which compression algorithms your client understands).
  • X-Forwarded-For / X-Real-IP — the headers our reverse proxy (Caddy) adds so we can see the original client IP behind it. The forward chain is also shown on the home page.
  • X-Forwarded-Proto — tells us the original request scheme. We use it to confirm TLS termination upstream.
  • Sec-CH-* / Sec-Fetch-* — Chromium's "Client Hints" replacement for the UA string, and Fetch metadata about where the request came from. Privacy-respecting browsers may suppress these.

What's not here

Cookie, Authorization, and Proxy-Authorization are replaced with [redacted] server-side — we never want to surface a session token or API key in a debug page. If you specifically need to inspect those, use your browser's devtools network panel; they're for your eyes only.