UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

HTTP Request Builder

Send HTTP requests from your browser via a server-side proxy — set method, headers, body, and inspect the full response.

About HTTP Request Builder

HTTP Request Builder is a Postman-lite tool for testing APIs and HTTP endpoints directly from your browser. Choose a method (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS), enter a URL, add custom request headers, and pick a body format — JSON, form-data, or raw text. The request is sent via a server-side proxy with SSRF protections so private IPs and localhost are blocked. The response panel shows a color-coded status code, elapsed time, response size, full response headers, and a pretty-printed body. A 'Copy as cURL' button generates the equivalent curl command so you can reproduce the request in your terminal or share it with teammates. The last 10 requests are saved to localStorage for quick recall.

Why use HTTP Request Builder

  • No install — test any public API directly in the browser without Postman or Insomnia.
  • Server-side proxy lets you bypass browser CORS restrictions on third-party APIs.
  • Pretty-print JSON responses automatically for easy readability.
  • Copy as cURL makes it easy to share or reproduce requests in a terminal.
  • Request history keeps the last 10 requests so you never lose your work.
  • SSRF protections block private IP ranges to prevent internal network misuse.

How to use HTTP Request Builder

  1. Select an HTTP method from the dropdown (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS).
  2. Enter the full URL including https:// in the URL bar.
  3. Add request headers using the headers table — click '+ Add Header' for each key/value pair.
  4. Choose a body type tab: none, JSON, form-data, or raw, and fill in the body if needed.
  5. Click Send. The response panel shows status code, timing, response headers, and body.
  6. Use the Body / Response Headers tabs to switch views.
  7. Click 'Copy as cURL' to get the equivalent curl command for use in a terminal.

When to use HTTP Request Builder

  • Quickly testing a REST API endpoint without setting up a local client.
  • Debugging HTTP responses when you need to see exact headers and status codes.
  • Generating curl commands from a GUI without memorizing flags.
  • Testing webhooks or callback URLs during development.
  • Checking API authentication headers and error responses in real time.
  • Quickly testing a REST API endpoint without setting up a local Postman or Insomnia workspace

Examples

GET a JSON API

Input: GET https://jsonplaceholder.typicode.com/todos/1 Accept: application/json

Output: 200 OK Content-Type: application/json { "userId": 1, "id": 1, "title": "delectus aut autem", "completed": false }

POST JSON with Bearer token

Input: POST https://api.example.com/posts Authorization: Bearer eyJhbGc... Content-Type: application/json {"title":"Hello","body":"World"}

Output: 201 Created Location: /posts/42 { "id": 42, "title": "Hello", "body": "World" }

Copy as cURL output

Input: GET https://api.github.com/users/octocat Accept: application/vnd.github+json

Output: curl -X GET 'https://api.github.com/users/octocat' \ -H 'Accept: application/vnd.github+json'

Tips

  • Bearer tokens go in an Authorization header with value 'Bearer YOUR_TOKEN' — the proxy forwards all custom headers verbatim.
  • Use the form-data tab for application/x-www-form-urlencoded bodies — keys and values are URL-encoded automatically.
  • JSON bodies should be valid JSON — invalid JSON is sent as raw text and may fail with a 400 from the target server.
  • Set Accept: application/json explicitly when an API returns multiple representations to ensure JSON output.
  • HEAD requests fetch headers without the body — useful for checking if a URL exists or inspecting Content-Length.
  • OPTIONS reveals which methods and headers a CORS-enabled API allows — handy for debugging preflight failures.
  • Copy as cURL produces a single-line command — paste into a terminal and add -v for verbose connection debugging.

Frequently Asked Questions

Why does the request go through a server proxy?
Browsers block cross-origin requests due to CORS policy. The UtilityKit backend proxies the request server-side so you can reach any public API regardless of its CORS headers.
Can I send requests to localhost or internal IPs?
No — private IP ranges (127.x, 10.x, 192.168.x, 172.16-31.x) and localhost are blocked at the proxy to prevent server-side request forgery (SSRF) attacks.
What body types are supported?
JSON (application/json), form-data (sent as key/value JSON pairs), and raw text. The proxy forwards the body as-is with the Content-Type header you set.
How do I send a Bearer token?
Add a header row with key 'Authorization' and value 'Bearer YOUR_TOKEN'. The proxy forwards all custom headers to the target server.
Does request history persist across sessions?
Yes — the last 10 URLs and methods are stored in your browser's localStorage and survive page refreshes. History is never sent to the server.
What does the 'Copy as cURL' button produce?
A curl command string that replicates the current method, URL, headers, and body. You can paste it directly into any terminal or share it with a colleague.
Is there a request timeout?
Yes — requests are automatically aborted after 15 seconds to prevent hanging. You'll see a timeout error if the target server is too slow.

Explore the category

HTTP Headers Checker Inspect response status and headers from public HTTPS origins Website Status Checker Check whether any website or URL is up or down and see its HTTP response code, response time, and server headers. Online Ping Test Measure the response time (latency) of any IP address or hostname from our server with repeated ICMP-style pings. Python Online Compiler Run Python 3 code in your browser via Pyodide — no install, no server. Page Screenshot Service Capture full-page or viewport screenshots of any public URL as PNG or JPG using real browser rendering. Hex & Binary Viewer Inspect any file as a hex + ASCII dump in your browser
Understanding HTTP Headers: A Developer's Reference HTTP headers carry critical information about authentication, caching, content type, and security — yet many developers only interact with t Feb 2026 · 10 min How HTTP Caching Works: Cache-Control, ETags, and Browser Storage HTTP caching is one of the most powerful and most misunderstood web performance tools. Getting Cache-Control right can eliminate most of you May 2026 · 10 min HTTP Status Codes: The Complete Developer Reference Is that a 401 or a 403? A 404 or a 410? HTTP status codes have precise meanings that most developers only half-remember. Here is the definit Jan 2026 · 9 min

Glossary

HTTP method
The verb at the start of a request line — GET (read), POST (create), PUT (replace), PATCH (modify), DELETE (remove), HEAD (metadata only), OPTIONS (capabilities).
Status code 1xx (Informational)
Provisional responses — 100 Continue, 101 Switching Protocols. Rarely seen in everyday API work.
Status code 2xx (Success)
The request succeeded — 200 OK, 201 Created, 204 No Content. The server completed the operation.
Status code 3xx (Redirection)
Further action needed — 301 Moved Permanently, 302 Found, 304 Not Modified. The client should fetch a different URL.
Status code 4xx (Client error)
The request was malformed or unauthorized — 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests.
Status code 5xx (Server error)
The server failed to handle the request — 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout.
CORS (Cross-Origin Resource Sharing)
A browser security policy that blocks cross-origin requests unless the server returns explicit Access-Control-Allow-Origin headers. Bypassed here by routing through a server-side proxy.
multipart/form-data
A Content-Type used for HTML form submissions and file uploads, encoding fields as a sequence of parts separated by a boundary string.
REST
Representational State Transfer — an architectural style using HTTP methods on resource URLs (GET /users/123) with JSON or XML bodies.
GraphQL
An API query language using a single POST endpoint with a JSON body specifying the desired fields and operations — testable here by setting method=POST and body=JSON.
SSRF (Server-Side Request Forgery)
An attack where a server is tricked into making requests to internal services on behalf of an attacker; mitigated by blocking private IP ranges at the proxy.
Bearer token
An access token sent in the Authorization header as 'Bearer <token>' — the most common authentication scheme for modern REST APIs.