Free Tool

API Status Checker

Instantly check any API endpoint's status, response time, security headers, and CORS configuration. Free, no signup required.

What You Get

Here's an example of the API health report this tool provides. Try it above with any endpoint.

200

Endpoint Healthy

https://api.example.com — 142 ms response time

Status Code200 OK
Response Time142 ms
Content-Typeapplication/json
Servercloudflare

Security Headers

Strict-Transport-SecurityPresent
Content-Security-PolicyPresent
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff

The checker tests your endpoint with the HTTP method you choose (GET, POST, HEAD, etc.) and reports the status code, response time, and full response headers. A 200 OK confirms the endpoint is healthy. Codes like 301/302 indicate redirects, 403 means access is forbidden, and 5xx codes signal server errors.

Security headers protect your users from common attacks. Strict-Transport-Security (HSTS) forces HTTPS connections, Content-Security-Policy prevents XSS attacks, X-Frame-Options blocks clickjacking, and X-Content-Type-Options stops MIME-type sniffing. Missing security headers leave your API and its users exposed to known vulnerabilities.

How It Works

1

Enter URL

Type any URL or API endpoint. We'll send a request and follow any redirects automatically.

2

We Analyze Headers

Our server checks the response status, security headers, CORS configuration, caching headers, and redirect chain.

3

See the Results

View the full status report with a security grade, response details, and actionable insights.

HTTP & API Glossary

The headers and terms that appear in any API check — explained without the spec-speak.

Status codes (1xx–5xx)

1xx informational, 2xx success, 3xx redirection, 4xx client error (your fault), 5xx server error (their fault). Knowing the family tells you who needs to fix what before you read a single byte of the body.

TTFB

Time To First Byte — how long after the request was sent until the first response byte arrived. Captures DNS, TCP, TLS, and server processing time. Under 200 ms is excellent; over 600 ms hurts perceived performance and Core Web Vitals.

CORS

Cross-Origin Resource Sharing. Browsers block cross-origin XHR by default; the server opts in by sending Access-Control-Allow-Origin. Misconfigured CORS either blocks legitimate frontends or exposes the API to any origin (the * wildcard).

HSTS

Strict-Transport-Security tells browsers to always use HTTPS for the domain. With max-age and the preload flag, the very first connection is forced to HTTPS — eliminating downgrade attacks.

Content-Security-Policy

Tells the browser which sources are allowed to load scripts, styles, frames, and images. The single most effective defense against stored XSS when paired with sensible defaults like 'self' and explicit allowlists.

Cache-Control

Controls how clients and proxies cache the response. public,max-age=3600 = anyone can cache for 1h. no-store = never cache. private = only the end user, not the CDN. Wrong cache headers either kill performance or leak data.

HTTP Status Codes & Common API Errors

The status codes you actually run into in production, what they mean, and how to fix them.

400 Bad Request

The server rejected the request

The request was malformed — missing required parameters, invalid JSON, wrong content type, or an unsupported query string. Inspect the response body for the server's specific complaint and fix the request.

401 Unauthorized

Authentication required or invalid

The endpoint requires authentication and either no credentials were supplied or the ones provided are invalid (expired token, wrong API key, signature mismatch). Check the WWW-Authenticate header for the expected scheme.

403 Forbidden

Authenticated but not allowed

Credentials were accepted but the caller does not have permission for this resource. Different from 401 — re-authenticating will not help. Check IAM/role policy or per-resource ACLs.

404 Not Found

Endpoint or resource does not exist

Either the URL is wrong, the resource was deleted, or the API version in the path does not exist. Some APIs also return 404 for resources the caller is not allowed to see (to avoid leaking existence).

429 Too Many Requests

Rate limit exceeded

The caller has exceeded the API's rate limit. Inspect Retry-After, X-RateLimit-Remaining, and X-RateLimit-Reset headers to back off correctly. Implementing exponential backoff is the industry-standard fix.

500 Internal Server Error

Generic server-side failure

Something blew up on the server — unhandled exception, uncaught database error, deployment in a broken state. Repeat the request to confirm it is consistent, then check server logs / your error tracker.

502 Bad Gateway

Upstream server returned an invalid response

Your reverse proxy or CDN reached the origin but the origin returned garbage (or crashed mid-response). Often a sign the origin is restarting, OOM-killed, or a worker process is wedged.

503 Service Unavailable

Server is temporarily overloaded or down

The server is intentionally refusing requests — maintenance mode, graceful shutdown, or autoscaler still booting capacity. Honor Retry-After if present. If you see 503s without one, the origin is likely overwhelmed.

504 Gateway Timeout

Upstream did not respond in time

Your reverse proxy or CDN gave up waiting on the origin. Usually means a slow database query, a hung dependency, or a long-running request that exceeds the proxy's timeout. Optimize the slow path or raise the timeout.

CORS error (no status)

Browser blocked the response

Returned in browser dev tools, not at the HTTP level — the server did not send the right Access-Control-Allow-Origin. Test from this checker (which bypasses CORS) to confirm the endpoint works server-side, then fix the CORS headers.

Frequently Asked Questions

This tool sends a request to any URL or API endpoint and reports its status (up, down, or redirecting), response time, HTTP headers, security headers grade, CORS configuration, caching headers, and redirect chain — all in real time.

Yes, completely free with no signup required. Just enter a URL and check instantly. There are no daily limits.

The security grade (A+ through F) evaluates how well a server implements security best practices via HTTP headers. It checks for HSTS (Strict-Transport-Security), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. A higher grade means better protection against common web attacks.

CORS (Cross-Origin Resource Sharing) headers control which websites can make requests to an API. The Access-Control-Allow-Origin header specifies allowed origins, while other headers control allowed methods, headers, and credentials. Misconfigured CORS can either block legitimate requests or expose APIs to unauthorized access.

Redirects (301, 302, 307, 308) happen when a server sends your request to a different URL. Common reasons include HTTP to HTTPS upgrades, www to non-www redirects, URL canonicalization, or load balancing. While a few redirects are normal, excessive redirect chains can slow down your application.

Under 200ms is excellent, 200-500ms is good, 500-1000ms is acceptable for complex operations, and over 1 second may indicate performance issues. Response times vary based on server location, processing complexity, and network conditions.

Yes! exit1.dev offers continuous API and website monitoring with alerts via email, Slack, Discord, and webhooks. You'll get notified instantly when your endpoints go down, respond slowly, or have SSL/domain issues.

Learn More About API Monitoring

Guides on checking website status, security headers, and API endpoint monitoring.

How to Check If a Website Is Down

Step-by-step guide to verifying outages, checking status codes, and diagnosing server issues.

HTTP Security Headers Explained

Complete checklist of security headers: HSTS, CSP, CORS, and how to implement them.

API Endpoint Monitoring Playbook

Build a comprehensive API monitoring strategy with validation, alerts, and global coverage.

API Observability Automation Toolkit

Automate API monitoring with payload validation, status automation, and incident response.

Last updated · Built and maintained by exit1.dev — uptime, SSL, and domain monitoring with instant alerts.

Need Continuous API Monitoring?

Stop checking manually. exit1.dev monitors your APIs and websites 24/7 and alerts you instantly when something goes wrong. Get notified via email, Slack, Discord, or webhooks.

Start Free Monitoring
Start Monitoring