HAR Viewer & Analyser

Load a .har file to inspect network requests, response times, status codes, and headers — auth headers and tokens masked by default. Files never leave your browser.

Runs 100% client-side
On this page5 sections

Drop a .har file here, or click to browse

Export from Chrome DevTools → Network → Save all as HAR

Your HAR file never leaves your browser — 100% client-side

HOW TO USE

  1. 01Export a HAR from Chrome DevTools (Network → Save all as HAR) or a proxy tool.
  2. 02Load the .har file — all parsing is local, nothing is uploaded.
  3. 03Filter by URL/domain and sort by time to find slow or failing requests; click an entry to inspect headers and timing.
  4. 04Enable 'Mask auth headers & tokens' before screenshotting for a bug report.

Try it

Load a HAR captured during a failing API test and filter to the failing request

WHEN TO USE

Use when diagnosing network-layer failures in a test session: slow requests, unexpected status codes, missing or malformed headers, CORS preflight failures, or authentication errors. Export a HAR from Chrome DevTools (Network tab → right-click → Save all as HAR) or any proxy tool, then load it here to filter, search, and inspect without sending credentials to a third-party server.

WHAT BUGS THIS FINDS

  • Missing auth headers

    A request that requires a Bearer token reaches the server without an Authorization header — the session or interceptor is misconfigured.

  • CORS preflight rejected

    A 403 or missing Access-Control-Allow-Origin on an OPTIONS request causes the actual request to never fire in browser-based tests.

  • Token in query string

    A credential (access_token, api_key) is appended to the URL as a query parameter, making it visible in server logs and referrer headers.

  • Slow TTFB masking backend error

    A request with a >3s Time To First Byte is often a sign of an unhandled exception or database bottleneck on the backend, not a network issue.

  • Set-Cookie missing Secure/HttpOnly

    A session cookie set by the server lacks the Secure or HttpOnly flag — visible in the response Set-Cookie header.

QA USE CASES

01

Triage a failing API test

Load the HAR captured during a failing test run to see exact request/response headers and timing without re-running the test.

02

Audit auth headers

Confirm Authorization and Cookie headers are present on every request that requires authentication — missing headers mean the session isn't being forwarded.

03

Diagnose CORS failures

Inspect the preflight OPTIONS request and response Access-Control-Allow-* headers to pinpoint exactly which origin or method is blocked.

04

Profile slow requests

Sort by time to identify the slowest requests — TTFB, DNS, and connect phases are broken down per entry.

05

Detect credential leakage

Enable 'Mask auth headers & tokens' and scan the URL column for ?token= or ?access_token= params that shouldn't be in query strings.

Related

Glossary

HARCORSLatencyCachingNetwork ThrottlingPerformance TestingWaterfall ChartTime to First ByteHTTP Status Code