How do I convert a Python requests call to cURL?

Switch to the Code → cURL tab, select Python (requests) as the input language, paste your code, and the equivalent cURL command appears instantly. Supported: requests.get/post/put/patch/delete with headers, params, json, and auth arguments.

What does the Cookie parser do?

Paste a raw Cookie or Set-Cookie header. The tool splits it into individual cookies, decodes URL-encoded values, and for Set-Cookie shows all attributes (Domain, Path, Expires, Max-Age, HttpOnly, Secure, SameSite). Missing security attributes trigger warnings.

What does the Header Analyzer grade?

The analyzer checks for the six key security response headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each present header earns points toward an A-F grade, and missing or misconfigured headers show improvement suggestions.

Does this tool send any HTTP requests?

No. The tool only generates code — it never sends requests. All processing (code generation, parsing, analysis) runs entirely in your browser via WebAssembly. No data is transmitted to any server.

cURL & API Converter – Request Builder, Code Generator, Cookie Parser, Header Analyzer

Build HTTP requests and generate code in 8 languages (cURL, Python requests/httpx, JS fetch/axios, Go, PHP, Rust reqwest). Convert Python/JS code back to cURL. Parse Cookie/Set-Cookie headers with security warnings. Analyze HTTP security headers (HSTS, CSP, X-Frame-Options) with A-F grading. All local, nothing sent to server.

cURL & API Converter

Build HTTP requests visually and generate production-ready code in 8 languages — or paste existing code and convert it back to cURL. The Cookie Parser decodes raw Cookie and Set-Cookie headers with security analysis, and the Header Analyzer grades your HTTP response headers against the OWASP security checklist.

Everything runs locally in your browser. URLs, tokens, and cookies never leave your machine.

Request Builder

Configure any HTTP request — method, URL, headers, query parameters, request body, and authentication — and get instant code output in your language of choice.

Supported output languages:

cURL (Bash) — universal, works in any terminal
JavaScript fetch — native browser API, Node 18+
JavaScript axios — popular library for React/Vue apps
Python requests — de facto standard for Python HTTP
Python httpx — async-capable modern alternative
Go net/http — standard library, no dependencies
PHP cURL — native extension in all PHP versions
Rust reqwest — most popular async HTTP client for Rust

Code → cURL Converter

Paste a Python requests call or a JavaScript fetch() call and get the equivalent cURL command. Useful when debugging, writing shell scripts, or sharing a request with a colleague who uses a different stack.

Python requests example:

response = requests.post('https://api.example.com/v1/data', headers={'Authorization': 'Bearer token'}, json={'key': 'value'})

Converts to:

curl -X POST 'https://api.example.com/v1/data' -H 'Authorization: Bearer token' -H 'Content-Type: application/json' -d '{"key": "value"'}

Cookie Parser

Paste a raw Cookie: or Set-Cookie: header. The parser splits it into named cookies, URL-decodes values, and for Set-Cookie displays every attribute: Domain, Path, Expires, Max-Age, HttpOnly, Secure, and SameSite. Missing security attributes trigger warnings.

Security warnings triggered when:

HttpOnly is absent — cookie accessible via JavaScript (XSS risk)
Secure is absent — cookie sent over plain HTTP
SameSite is absent — cookie sent on cross-site requests (CSRF risk)
SameSite=None without Secure — invalid per RFC 6265bis

HTTP Header Security Analyzer

Paste raw HTTP response headers. The analyzer checks for the six OWASP-recommended security headers and grades the response A through F based on how many are present and correctly configured.

Security headers checked:

Strict-Transport-Security (HSTS) — enforces HTTPS connections
Content-Security-Policy (CSP) — restricts resource loading origins
X-Frame-Options — prevents clickjacking
X-Content-Type-Options — disables MIME sniffing
Referrer-Policy — controls referrer information leakage
Permissions-Policy — limits browser feature access

Request

Method

URL

Headers

Query Parameters

Request Body

Authentication

Type

Generated Code

Click to copy

Code is generated locally in your browser. No requests are sent — paste the code into your own environment to run it.