#http

The canonical MIME / media-type database (the jshttp mime-db used by Express and most of the Node ecosystem: IANA + Apache + nginx), served from memory — no key. Resolve a media type to its file extensions, charset and compressibility; reverse-lookup the media type(s) for a file extension (e.g. png → image/png); and search or list types by source. 2,600+ media types, 1,000+ with file extensions. Lean, predictable JSON. Ideal for upload validation, Content-Type resolution, file-type detection, download handlers and developer tooling.

api.oanor.com/mimetypes-api

Build correct CORS response headers and evaluate preflight requests — without re-reading the spec every time. The headers endpoint turns a simple policy (allowed origins, methods, request headers, whether credentials are allowed, a preflight max-age and any exposed response headers) into the exact set of Access-Control-* headers to return, and it handles the parts people get wrong: you cannot combine a wildcard origin with credentials, so it reflects the specific request origin and adds Vary: Origin instead; it omits the allow-origin header when an origin is not on your list; and it warns when a configuration would not behave as expected. The check endpoint takes an incoming request — its Origin, the (requested) method and the Access-Control-Request-Headers — and tells you whether it would pass CORS, the precise reason if it fails, and the response headers you should send back. Everything is computed locally and deterministically, so it is instant and private. Ideal for API gateways and backends, edge and serverless functions, debugging browser CORS errors, and getting a security policy exactly right. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and checks the headers; it does not make a cross-origin request — to inspect a live site's security headers use a security-headers API.

api.oanor.com/cors-api

Find the real client IP behind proxies, CDNs and load balancers. The client endpoint takes an X-Forwarded-For list (or an RFC 7239 Forwarded header) together with a count of proxies you trust, and returns the actual client address — stripping the trusted proxies from the right-hand side so that a spoofed left-most value cannot fool you — along with the full ordered hop chain, the left-most and right-most entries and the address family. The parse endpoint decomposes a Forwarded header into its for/by/host/proto hops, or an X-Forwarded-For header into its ordered list of addresses, stripping ports and IPv6 brackets so you get clean IPs. Getting this right matters for security: trusting the wrong entry lets clients spoof their IP, so the trusted-proxy model returns the first address you did not put there yourself. Everything is computed locally and deterministically, so it is instant and private. Ideal for reverse proxies and API gateways, rate limiting and abuse prevention, audit logging and analytics, geo and fraud checks, and any backend sitting behind a load balancer. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This parses forwarding headers to find the client IP; to geolocate that IP use an IP-geolocation API.

api.oanor.com/clientip-api

Parse and build HTTP Content-Disposition headers (RFC 6266, with RFC 5987 filename* encoding). The parse endpoint reads a header into its disposition type (attachment, inline or form-data), its filename — correctly decoding the extended filename*=UTF-8''… form and preferring it over a plain filename exactly as the specification requires — the form-data field name, and any remaining parameters. The build endpoint assembles a correct header from simple fields and, when a filename contains non-ASCII characters (accents, emoji, CJK), automatically emits both an ASCII fallback filename and the percent-encoded filename*, so every browser shows the right download name while older clients still work. Everything is computed locally and deterministically, so it is instant and private — no file is ever fetched or stored. Ideal for file-download and upload endpoints, object storage and CDNs, content gateways and proxies, email and multipart handling, and debugging why a download is mis-named. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and parses the header string itself; it does not serve a file.

api.oanor.com/contentdisposition-api

Parse and build HTTP Cache-Control headers (RFC 9111). The parse endpoint turns a Cache-Control header into structured, named directives — public and private, no-store, no-cache, no-transform, max-age and s-maxage, must-revalidate and proxy-revalidate, immutable, stale-while-revalidate, stale-if-error, min-fresh and max-stale — together with a quick summary: whether the response is cacheable, whether it must be revalidated before use, its visibility (public or private) and its max-age in seconds. The build endpoint assembles a correct, canonically-ordered header from simple boolean and numeric fields, validating that the second-based directives are non-negative integers and quoting field-list forms of no-cache and private. Everything is computed locally and deterministically, so it is instant and private. Ideal for CDN and edge configuration, caching proxies and reverse proxies, API responses and static-asset tuning, and debugging why a response is (or is not) being cached. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and parses the header string itself; it does not fetch a URL.

api.oanor.com/cachecontrol-api

Parse and build RFC 8288 HTTP Link headers (Web Linking). The parse endpoint turns a Link header into a structured list — each link with its URI, its rel relation(s) and any target attributes (title, type, hreflang, media, anchor) — and also returns a handy rel→uri map, so you can grab the next, prev, first and last URLs for API pagination in a single step. It correctly handles the awkward parts: multiple comma-separated links, commas inside angle-bracketed URIs, quoted parameter values, multiple space-separated rel tokens, and RFC 8187 extended values. The build endpoint assembles a correct Link header from one or more link objects (or a single uri + rel with optional attributes), quoting values only where required. Everything is computed locally and deterministically, so it is instant and private. Ideal for paginated REST APIs and clients, hypermedia and HATEOAS, HTTP preload/prefetch hints, feed and alternate-format discovery, proxies and gateways. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and parses the Link header string itself; it does not fetch a URL.

api.oanor.com/linkheader-api

HTTP content negotiation as an API. The parse endpoint reads an Accept, Accept-Language, Accept-Encoding or Accept-Charset header — with quality (q) values and parameters — into a clean list ranked by the client's preference. The negotiate endpoint takes that header plus the list of values your server can actually serve and returns the single best match, along with the full ranked result and the entry that matched each candidate. It applies the correct rules for each kind: media-type type and subtype wildcards (text/*, */*), RFC 4647 language-range matching (a request for en matches your en-US, and en-US falls back to en), and exact matching with a * wildcard for encodings and charsets — and a q=0 entry correctly rejects a value. Everything runs locally and deterministically, so it is instant and private. Ideal for i18n middleware and locale selection, API versioning by media type, response-format and compression selection, CDNs, proxies and edge functions. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This negotiates HTTP headers; to validate or decompose a single BCP-47 language tag use a BCP-47 API.

api.oanor.com/negotiate-api

Parse and build HTTP cookies. The parse endpoint reads a Set-Cookie header into its name, value and structured attributes — Domain, Path, Expires, Max-Age, Secure, HttpOnly, SameSite, Priority and Partitioned — or, with mode=cookie, splits a request Cookie header like "a=1; b=2; c=3" into an ordered list and a name→value map. The serialize endpoint builds a correct Set-Cookie string from simple fields, with sensible defaults (Path=/), proper date formatting for Expires, optional URL-encoding of the value, and validation of the cookie name, the date and the enum attributes — and it automatically adds Secure when SameSite=None, as browsers require. Everything is computed locally and deterministically, so it is instant and private. Ideal for web frameworks and middleware, API debugging and proxies, session and consent tooling, testing and security review. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This parses and builds cookie strings; it does not fetch a URL — to inspect a live site's response headers use a security-headers or HTTP API.

api.oanor.com/cookie-api

Every HTTP status code as an API. Look up any code (e.g. 404, 429, 503) and get its standard reason phrase, its class (1xx Informational, 2xx Success, 3xx Redirection, 4xx Client Error, 5xx Server Error), a plain-English description, the RFC that defines it, and handy flags for whether it is an error and whether it is commonly safe to retry (408, 425, 429, 500, 502, 503, 504). List every assigned code or filter by class, and enumerate the five status classes. Perfect for API clients and gateways, error pages, logging and monitoring dashboards, documentation and teaching. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 4 endpoints. Distinct from host/uptime checkers that report a live status — this is the reference dictionary of the codes themselves.

api.oanor.com/httpstatus-api

Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/secheaders-api

A clean, programmatic reference for HTTP semantics, built on the official IANA registries. Look up any status code with its reason phrase and class (404 → Not Found, Client Error; 503 → Service Unavailable, Server Error), list a whole class (4xx, 5xx…); look up any method with its safe/idempotent flags (GET → safe + idempotent, POST → neither, DELETE → idempotent); or look up / search the 255 registered HTTP header fields (Content-Type, Authorization, …) with their registration status. Ideal for API tooling, HTTP clients, documentation, linters, learning resources and error pages.

api.oanor.com/http-api