Host/Authority/Origin Inspect

Parse and diagnose HTTP headers and routing signals in your browser. No input is sent to a server. Use it for first-pass observation-gap troubleshooting.

Status

Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.

How to use

Paste Host / :authority / Origin / Referer and click “Parse”. It splits and lists each value (header lines/multi-line paste/full headers OK).

Notes (this tool)

  • Referer may be omitted due to Referrer-Policy.

About this page

What does this tool do?

Split Host / :authority / Origin / Referer and display host/scheme/path components clearly.

Useful for diagnosing CORS failures, broken URL generation, and unexpected Host handling.

Basics (roles)

  • Host is the HTTP/1.1 host header; :authority is its HTTP/2+ equivalent.
  • Origin indicates the requesting origin in CORS contexts.
  • Referer is the referring URL and may be omitted.

Syntax (how to read)

  • Host: example.com
  • :authority: example.com:443
  • Origin: https://example.com
  • Referer: https://example.com/path?x=1

Glossary (terms used on this page)

  • Origin: scheme + host + port (no path).
  • Authority: host[:port], used in HTTP/2.
  • Same-origin: exact match of Origin.

Why it helps (CORS/URL generation)

Differences among Host/Origin/Referer often cause CORS or URL-generation issues. Visualizing them reveals root causes.

  • Origin is central to CORS (not the same as Host)
  • Referer may be omitted (Referrer-Policy)

Examples (common patterns)

  • CORS mismatch: Origin is api.example.com but allowlist has only example.com
  • Host rewrite: Host and :authority differ or are unexpected
  • Missing Referer: suppressed by Referrer-Policy

How to test (measure)

Start with DevTools Network to inspect request headers, and reproduce with curl if needed (replace the URL).

  • Use curl -I https://example.com/ to check Host/Location in responses
  • For CORS, add Origin: curl -I -H \"Origin: https://app.example\" https://api.example

Common pitfalls

  • Confusing Origin with Host in allowlists
  • Host rewriting behind proxies (X-Forwarded-Host)
  • Assuming Referer is always present

Troubleshooting checklist by symptom

  • CORS failing: verify Origin matches allowlist including port
  • Broken URL generation: check consistency of Host/:authority/Forwarded/X-Forwarded-Host
  • Missing Referer: check Referrer-Policy (no-referrer, etc.)

Debugging workflow (recommended)

  • Extract Host/Origin/Referer via Request Headers Parser
  • Split and compare each value here
  • Check consistency with Forwarded / X-Forwarded-Host / X-Forwarded-Proto
  • Forwarded Inspect
  • X-Forwarded-Proto Inspect
  • Referrer-Policy Inspect
  • Request Headers Parser

What this tool does

  • Extract and list Host / :authority / Origin / Referer
  • Parse Origin/Referer URLs
  • Extract relevant lines from full headers

Operational notes

  • Intermediaries may rewrite headers. Compare captures from equivalent points.
  • Confirm final decisions with server logs and configuration such as trusted proxy and routing.

Referenced specs

  • RFC 9110 (HTTP Semantics)
  • RFC 9113 (HTTP/2)
  • MDN: Origin / Referer / Host

FAQ

Are Host and Origin the same?

No. Origin is scheme+host+port; Host is host[:port].

Is missing Referer a bug?

It can be omitted due to Referrer-Policy or browser settings.

References

  1. RFC 9110
  2. RFC 9113
  3. MDN: Origin
  4. MDN: Referer
  5. MDN: Host
  6. MDN: CORS

These links are generated from site_map rules in recommended diagnostic order.

  1. How to Diagnose CORS Preflight Failures — Fix preflight failures by validating OPTIONS responses, Allow-* directives, and origin rules in order
  2. How to Diagnose Set-Cookie Not Persisting — Isolate cookie persistence failures by checking Domain/Path/Secure/SameSite in order
  3. How to Diagnose Lost Login After OAuth Return — Isolate cookie-delivery failures after IdP return across SameSite, Secure, Path/Domain, and collisions
  4. Origin Allowlist Check — Match Origin values against an allowlist
  5. CORS Checklist — Provide a step-by-step CORS verification checklist
  6. CORS Response Inspect — Parse Access-Control-Allow-* headers to audit CORS responses
  7. CORS Error Troubleshooting — Troubleshoot CORS failures by correlating browser errors with request/response headers
  8. CORS Diagnostic — Diagnose CORS decisions by comparing Origin and Allow-*

CORS

Compare Origin and Allow-* headers to audit CORS decisions