All HttpFixer Tools
Free browser-based developer tools. No signup, no backend, nothing leaves your browser.
Core tools — live URL scanning
HeadersFixer
Scan any URL for missing or misconfigured HTTP security headers. Get exact Nginx, Vercel, Cloudflare, Express config.
Core CORSFixer
Send a real OPTIONS preflight to your API endpoint. See exactly what headers are missing and get the fix for your framework.
Core OAuthFixer
Diagnose OAuth 2.0 errors — invalid_grant, redirect_uri_mismatch, PKCE failures. Provider-specific fixes for Auth0, Okta, Cognito, Google.
Core CSPFixer
Scan your live URL, find all blocked resources, and generate a working Content Security Policy. No unsafe-inline required.
Core EdgeFix
Audit Cache-Control, Vary, Age, X-Cache, ETag headers. Find why your CDN is not caching and get the fix for your stack.
Core SpeedFixer
Live PageSpeed Insights audit on your URL. Detects your stack and generates the exact Nginx/Vercel/Cloudflare config to fix each failing audit.
Core New tools — specialist utilities
Header Diff
Compare HTTP headers between two URLs side by side. Find what is missing in production that staging has, or vice versa.
New Cache-Control Simulator
Paste any Cache-Control header value and see a visual timeline. Understand stale-while-revalidate, s-maxage, and stale-if-error instantly.
New HSTS Preload Checker
Check if your domain is on the HSTS preload list built into browsers. See your HSTS header, requirements checklist, and how to get listed.
New Generators — build from scratch
CSP Generator
Build a Content Security Policy by selecting your sources. Outputs header value and Nginx/Vercel config.
Generator CORS Header Generator
Select origin, methods, and headers. Get Nginx, Express, and FastAPI CORS config in one click.
Generator Security Headers Generator
Configure all 9 security headers. Outputs Nginx and Vercel config with safe defaults pre-selected.
Generator Permissions-Policy Generator
Control camera, microphone, geolocation. Block unused browser features with copy-paste output.
Generator New tools
CSP Validator — Validate a CSP string against W3C spec. Flags unsafe-inline, missing directives, syntax errors.
JWT Debugger — Decode and validate JWTs. Flags none algorithm, missing expiry, expired tokens. Client-side only.
Security Headers Scorer — Score your security headers 0-100 with per-header breakdown and exact fix links.
Mixed Content Fixer — Find HTTP resources on your HTTPS page. Generates upgrade-insecure-requests CSP and Nginx rewrite rules.
Cache-Control Generator — Generate Cache-Control headers for any asset type with stack-specific Nginx, Vercel, Cloudflare config.