Network

HTTP Message Parser

Paste a raw HTTP message, a cURL command, or the fetch snippet that Chrome DevTools puts on your clipboard. The tool splits the request line, status, headers, query parameters, cookies, and body into a structured view, then re-emits the same request as cURL, HTTPie, fetch, axios, Python requests, Go, PHP, and around thirty other client formats. Everything runs in the browser; your messages and cookies stay on this page.

  • One input box recognises raw HTTP, cURL, and fetch snippets on its own
  • Requests and responses both unpack into tables for headers, query, cookies, and Set-Cookie
  • Body is auto-classified as JSON, form, XML, or text, with syntax highlighting
  • A single paste re-emits as thirty-plus client formats and target languages
tools/HTTP Message Parser

Start here

Paste a raw HTTP message, a cURL command, or a fetch snippet from DevTools into the input on the left, and the parsed view shows up here.

Try a sample
Samples

Overview

Paste a stray request or response and the tool unpacks the structure, runs a few light checks, and can re-emit the same call in another shape.

  1. 01

    Three paste shapes, auto-detected

    Raw HTTP messages, cURL commands, and the fetch snippet that Chrome DevTools puts on your clipboard are all recognised from the first line. You can also pick the format from the toolbar.

  2. 02

    Requests and responses, both

    Request line, status line, headers, query parameters, and cookies are unpacked into tables. The body is rendered as JSON, form, XML, or text based on Content-Type, with syntax highlighting.

  3. 03

    Cookies pulled apart in detail

    Request Cookie and Set-Cookie are shown separately, and Domain, Path, Expires, Max-Age, HttpOnly, Secure, SameSite, and Partitioned are each surfaced as their own attribute.

  4. 04

    Thirty-plus client formats out the other side

    cURL, HTTPie, wget, fetch, axios, got, ky, Python requests, Go, Rust, PHP Guzzle, Java OkHttp, and more come out the other side ready to paste into docs, migration scripts, or regression fixtures.

  5. 05

    Neutral safety and shape hints

    Missing HSTS, Content-Security-Policy, or X-Content-Type-Options surfaces as a notice; missing Secure or HttpOnly on cookies and broken __Host- prefixes do too. The tool flags; it does not decide.

  6. 06

    In-browser, no upload

    Detection, parsing, and conversion all happen on this page. No network request carries your messages or cookies out of the browser.

How to use

One input box covers detection, parsing, and export, with no extra panels to learn.

  1. 01

    Paste a raw HTTP message, a cURL command, or a fetch snippet from DevTools into the input on the left.

  2. 02

    The format is auto-detected. If detection picks the wrong one, switch to Raw HTTP, cURL, or fetch from the toolbar.

  3. 03

    In the overview on the right, confirm method, status, host, and body size, then expand headers, query, cookies, and hints.

  4. 04

    Switch to the Body view to read request or response payloads; JSON and form bodies offer a pretty/raw toggle.

  5. 05

    Need this call in another language? Switch to the Export view, pick a target from the dropdown, and copy the result back into your editor.

Details

Capturing traffic, reproducing a request, and writing docs end up in the same workspace without stepping on each other.

  • Raw HTTP splits headers from body on the blank line and tells request from response by the first line.
  • cURL parsing recovers method, URL, headers, cookies, body, and the common flags.
  • fetch parsing follows the DevTools "Copy as fetch" shape and extracts URL, method, headers, and body.
  • JSON bodies are pretty-printed by default, with a raw/pretty toggle for copying back out.
  • Cookie checks include SameSite=None paired with Secure, and __Host- / __Secure- prefix constraints.
  • Response checks cover HSTS, Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy.

Use cases

The everyday HTTP chores: each leaves a bit less manual copy-paste behind.

  1. Move a live request into a local script

    Copy cURL or fetch from DevTools, convert to Python requests, Go, or Java OkHttp, and use the result as the starting point for automation or a regression fixture.

  2. Debug a misbehaving API call

    Paste a raw message from a proxy and walk through headers, status, Set-Cookie, and body to spot where backend and client disagree.

  3. Audit response security headers

    Confirm whether HSTS, CSP, and X-Content-Type-Options are present against a baseline, then decide whether deeper review is warranted.

  4. Keep multi-language docs in sync

    One example exchange exports to cURL, HTTPie, fetch, axios, Python, and Go side by side, so you stop hand-writing the same example five times.

  5. Replay or edit a cookie flow

    Pull apart a Cookie header, adjust Domain, Path, or SameSite, then reassemble it and paste back into the browser or script to reproduce the issue.

  6. Share a clean sample with the team

    Turn real traffic into a tidy .http file or a single cURL so frontend, backend, QA, and SRE start from the same example.

See also

When the same capture also carries a hard-to-read User-Agent, open User-Agent Parser to split it into browser, OS, device, and bot signals. For tangled query strings or long redirect chains, URL Tools walks each component apart and clears tracking parameters. When an Authorization header or cookie carries a JWT, JWT Inspector decodes the payload and verifies the signature so you do not act on an unverified token.

Best practices

Messages are text. The eye misses things; let the structured view do the first read.

  • Prefer multi-line cURL when copying — flag boundaries are easier to recover when each argument sits on its own line.
  • Before sharing or screenshotting, scrub Cookie, Authorization, and other sensitive fields in the structured view.
  • When diffing two responses, pretty the body first, then send it to a JSON diff. Whitespace and key order will not get in the way.
  • Response header hints are baseline signals, not a verdict. Critical assets still need a proper security review.
  • Do not leave production cookies or tokens sitting in any online tool, including this one. Clear the input when finished.
  • Replace example domains and placeholder tokens in exported code before you commit or share it.

Limitations

Knowing what the tool does not do keeps you from reaching for it as a proxy or scanner.

  • No network requests are made; the tool only parses the text you paste, so it cannot capture or replay traffic.
  • TLS handshakes and HTTP/2 or HTTP/3 frame structures are out of scope. The input must be a readable message.
  • Compressed bodies (gzip, brotli) are not decoded. Decompress them in your proxy first.
  • The response header checks are baseline hints, not a replacement for a full security review or pentest.
  • fetch parsing follows the DevTools shape. Hand-written or heavily wrapped snippets may not parse in full.

FAQ

Common questions cover format detection, cookie handling, export accuracy, and where the data lives.

Do I need to switch formats first?

No. Auto-detect inspects the first line and decides between cURL, fetch, and raw HTTP. If detection picks wrong, switch manually from the toolbar.

What does a raw HTTP message need to include?

A request needs at least a request line (for example, GET /path HTTP/1.1) and a Host header. A response needs a status line (for example, HTTP/1.1 200 OK). Headers and body are separated by one blank line.

Can I run the exported fetch or axios code as-is?

The export preserves method, URL, headers, and body, so it is a solid starting point. Adjust auth, error handling, and environment variables to fit your project before shipping it.

How are Set-Cookie headers handled?

Each line is split into name, value, and attributes. Common issues are surfaced as hints — for example, SameSite=None without Secure, or __Host- prefixes that do not match Path=/ with no Domain.

Does pasted data get uploaded?

No. Detection, parsing, and conversion all happen in the browser. No network request carries your messages or cookies out of this page.

Why is the cURL export empty for a response?

cURL, fetch, and axios all describe a request. A response does not carry enough information to reconstruct one, so for responses the only export available is raw HTTP.

Related tools

Keep going on network and browser work — parse a User-Agent, clean a URL, or decode the JWT from an Authorization header.