Created to help in the investigation of suspicious links, RawHTTP will show you what a page looks like along with its HTTP information.
Created to help in the investigation of suspicious links, RawHTTP will show you what a page looks like along with its HTTP information.
Settings are saved in your browser's localStorage
| Type | Name | URL | |
|---|---|---|---|
RawHTTP.com was created to help in the investigation of suspicious links.
Submitted URLs and screenshots are not stored or logged. Save the screenshot if you want to keep it, since running the same check again fetches a new one.
If the URL entered performs some action, for example unsubscribing from a mailing list, those actions will still be taken. Information in the URL, such as personal information or other identifiers, is sent along with the request.
Domains containing [.] will be replaced with a single dot and [:] in the scheme will be replaced with a colon. This reduces friction when pasting defanged URLs.
Shows the chain of requests to reach the destination, including any redirects with their status codes, plus HTTP response headers for each hop.
Shows the TLS certificate presented by the destination: subject, issuer, validity dates, serial number, and Subject Alternative Names. Certificate retrieval does not verify trust, so expired, self-signed, and mismatched certificates are still shown. Click "Download Certificate" to save the raw certificate.
Facts extracted automatically from the destination page and its certificate. Items flagged here are worth a closer look, not a verdict.
Flags certificate and connection problems, including hostname mismatches, expired or not-yet-valid certificates, self-signed certificates, missing Subject Alternative Names, weak signature algorithms or key sizes, deprecated TLS versions, and weak cipher suites.
Title, Open Graph title and site name, meta description, keywords, and meta refresh redirects reported by the page.
Every form on the page, including its method, action, and fields. Flags a password field and an action that posts off-domain, since that combination is common in credential-phishing pages.
Every iframe on the page, flagged if it is cross-domain or hidden, and every externally-hosted script the page loads.
Cookies the page attempts to set, flagged if they are missing httpOnly, missing secure, or set with SameSite=None.
If the destination is an image or PDF rather than a web page, shows its metadata instead: dimensions and EXIF/GPS data for images, or title, author, producer, and page count for PDFs.
Shows what the page looks like in a browser. Useful for safely inspecting suspected phishing pages. Click the screenshot to open a full-size version in a new tab.
Displays the full HTML of the resulting page. Click "Add Syntax Highlighting" to make it easier to read. Note this may be slow on large pages.
All resources the destination URL requested: stylesheets, images, scripts, and more.
Browser console messages from loading the destination URL, as you would see in developer tools.
Under Settings, add third-party web resources to pivot a URL, Domain, or IP to. Use %s where the indicator should appear. Saved in local browser storage only.
A separate toolbox, opened from Tools in the top navigation, for encode/decode/hash/scan tasks that do not require a full URL check: Base64, URI encoding, LZ-String, IOC defanging, MD5/SHA-1/SHA-256 hashing, and QR/OCR image decoding. Runs entirely in the browser; nothing here is sent anywhere.
Bitcoin: 3FqX4X3j6J8BcFKPnirG7L7LNUd4Xxu8Jn
Dogecoin: DRzthaf8RHSdocKsZZ9UxUWW9i277ap9ci
RawHTTPcoin: bG9sLiBqdXN0IGtpZGRpbmcu
contact[@]rawhttp[.]com
Everything runs in your browser, nothing is sent anywhere.
Both QR and OCR are available. Which should receive the pasted image?