Symptom-Based Diagnostic Guides

Use this as the entry point when you are unsure where to start. Pick the closest incident and follow its workflow.

Shortest workflow

1. 1) Choose the scenario closest to your current symptom
2. 2) Follow the diagnostic steps in that scenario page
3. 3) If unsure, use comparison pages to re-select the right tool path

Pick a scenario by symptom

• How to Diagnose Missing 304 Responses — Trace ETag/Last-Modified and If-* round trips to isolate missing 304 behavior
• How to Diagnose Stale Content After Deployment — Check cache policy by HTML/API/static assets to isolate stale deployment issues quickly
• How to Diagnose CORS Preflight Failures — Fix preflight failures by validating OPTIONS responses, Allow-* directives, and origin rules in order
• JWT 401/403 Diagnostic Playbook — Separate 401 and 403 using Authorization, WWW-Authenticate, claims, and signature checks
• How to Diagnose Retry Storms on 429/503 — Isolate Retry-After parsing and client implementation gaps to stop excessive retries
• How to Diagnose JS/CSS Blocks from nosniff Mismatch — Trace Content-Type vs nosniff mismatches, fallback responses, and delivery-layer rewrites
• How to Diagnose Set-Cookie Not Persisting — Isolate cookie persistence failures by checking Domain/Path/Secure/SameSite in order
• How to Diagnose Lost Login After OAuth Return — Isolate cookie-delivery failures after IdP return across SameSite, Secure, Path/Domain, and collisions
• How to Diagnose Same-Name Cookie Collisions — Resolve unstable behavior by tracing same-name cookie path/domain variants, overwrite order, and send collisions
• Cookie Incident Operational Checklist — Standardize response from triage to permanent fixes across storage failures, OAuth return issues, and same-name collisions

Comparison guides (when unsure)

• How to choose cache tools — Route stale-update, missing-304, and CDN-only mismatch issues to the right tools
• How to choose cookie tools — Route Set-Cookie, Domain-Path, SameSite, conflict, and size checks by symptom
• How to choose CORS tools — Map preflight failures, origin mismatches, and credential conflicts to the right checks
• JWT Decoder vs Verifier — Clarify decode vs signature verification roles and connect to 401/403 troubleshooting flow
• How to choose response header tools — Map Retry-After, Server-Timing, Link, Content-Type, and nosniff checks by symptom

Fastest data to collect first

• Full response headers of the target URL (including status and Date)
• Exact browser console errors (CORS/MIME/JWT)
• Reproduction time and environment differences (prod/staging, CDN or not)

Scope of this hub

• Cache revalidation failures (missing 304, stale deployment updates)
• CORS preflight failures and origin allowlist mismatches
• JWT 401/403 separation, TTL, and signature-related issues
• Retry storms from ignored Retry-After and nosniff+MIME mismatches
• Set-Cookie persistence failures (Domain/Path/Secure/SameSite mismatches)

FAQ

Which scenario should I start with?

Start with the scenario that matches the first visible error (missing 304, failed preflight, 401/403, or MIME error).

What is the difference between tools and scenario pages?

Tools analyze specific headers/values, while scenario pages provide symptom-first diagnostic order.

When should I use comparison pages?

Use comparison pages when multiple candidate tools fit the symptom and you need to pick the first one.

Referenced specs

• RFC 9110 (HTTP Semantics)
• RFC 9111 (HTTP Caching)
• Fetch Standard (CORS)
• RFC 7519 (JWT)