HTTP Request Inspector
See exactly what your browser is telling servers about you right now. Server-visible headers come from a single read-only request to our backend; JavaScript-visible state is gathered from your browser directly.
What's the difference between server-visible and JS-visible state?
Server-visible headers
Every HTTP request your browser sends carries a set of headers in the request itself: User-Agent, Accept-Language, Cookie, etc. These are added by the browser automatically, sent in the bytes of the request, and visible to the server (and to any proxy in between). They're not visible to JavaScript on the page, because the browser deliberately blocks that to prevent fingerprinting scripts from reading them.
To show you these, we make a single read-only call to our backend (/api/myip?headers=1) which echoes back the headers it received. The backend logs only your IP's leading segment (the same as the What's My IP tool); the header values are echoed and forgotten.
JS-visible state
Some browser state isn't sent in HTTP headers but is available to JavaScript via APIs like navigator, Intl, screen, and window. Examples: your time zone, screen resolution, language preferences from navigator.languages, hardware concurrency, color depth, etc. We read these here, in your browser, and never send them anywhere.
Why this matters for privacy
Every piece of information visible above is something every site you visit can see. Individually, items like "you're on Chrome on macOS in Eastern Time" are bland. Together, they form a browser fingerprint that can identify your specific browser instance across sites without using cookies. The more unique each value is, the less private you are.
The defenses against fingerprinting include: using Brave, Tor Browser, or Safari's privacy features; disabling JavaScript on sites that don't need it; using a common browser/OS combination instead of a rare one; sticking with the default fonts and extensions list. Trying to "spoof" individual values usually increases uniqueness because the combination becomes weirder than a real one.
What's redacted
Authorization, Cookie, and Proxy-Authorization are redacted before the backend echoes them. The values still exist in your browser (and a packet capture would catch them), but our API doesn't echo their contents back to you on the page.