HTTP status code checker. Single or bulk, with verdict.
Type a URL or paste up to 20. We fetch each via the AllOrigins public proxy, return the HTTP status code, content-type, response time, and a verdict line per status (200 OK, 301 redirect, 404 not found, etc.). Browser-only.
Type a URL or paste up to 20 (one per line). We fetch each via the AllOrigins public proxy and return status code, content-type, response time per URL. Each result gets a plain-language verdict explaining the code.
Each fetch routes through api.allorigins.win. ~1-3s per URL typical.
Sources used
- AllOrigins — free public CORS proxy used to fetch cross-origin URLs
- RFC 9110 — HTTP semantics, including status code definitions
- MDN HTTP status codes — canonical reference
URLs are sent to AllOrigins for the fetch. Digital Heroes never sees your queries.
Privacy: URL goes to AllOrigins only; Digital Heroes doesn't log.
Five status families. Different meanings.
2xx Success. The request worked. 200 OK is the universal success. 201 Created for resource creation (POST endpoints). 204 No Content for success-with-empty-body (DELETE endpoints).
3xx Redirect. The resource moved. 301 Permanent is the SEO-preserving move — Google transfers link equity. 302 Found and 307 Temporary do NOT transfer equity; use only for genuinely-temporary redirects (A/B test, geo-routing, maintenance). 308 Permanent is like 301 but preserves the request method (POST stays POST). 304 Not Modified is the cache-hit response — server tells the browser "use your cached copy."
4xx Client error. The request had a problem. 400 Bad Request = malformed input. 401 Unauthorized = missing or invalid credentials (despite the name, it's about authentication). 403 Forbidden = auth was valid but access is denied (different from 401 — auth is fine, permission is not). 404 Not Found = URL doesn't exist. 410 Gone = intentionally removed (better than 404 for SEO removal — tells Google the URL is dead permanently). 429 Too Many Requests = rate limited.
5xx Server error. The server had a problem. 500 Internal Server Error = generic server crash, look at logs. 502 Bad Gateway = the proxy / load balancer couldn't reach the upstream server. 503 Service Unavailable = overloaded or in maintenance mode. 504 Gateway Timeout = upstream server took too long to respond. All 5xx codes are emergencies — alert the on-call engineer.
1xx Informational. Rare but increasingly relevant. 100 Continue for chunked-upload protocols. 103 Early Hints for the modern preload pattern — server tells the browser which resources to start fetching while the actual response is being generated. Cloudflare and Fastly both support 103; usage is growing.
Four jobs this tool covers.
Job 1: Deploy verification. After pushing a deploy, paste your top 5-20 URLs (homepage, key product pages, signup flow, API endpoints) and confirm every one returns the expected status. The bulk-check format catches the rare deploy issue where one route in 50 broke. Faster than clicking through manually.
Job 2: Migration / redirect verification. After a CMS migration or URL restructure, paste the old URLs that should now redirect. Verify each returns 301 (permanent) and not 302 (temporary) — the difference matters for SEO link equity. Pair with our Redirect Chain Checker for the full chain inspection.
Job 3: Sitemap audit. Pull your sitemap.xml URLs into a list, paste here in batches of 20. Any URLs returning 4xx need to be removed from the sitemap or fixed. Google penalizes sitemaps that contain dead URLs because it wastes their crawl budget. Pair with our XML Sitemap Validator for the structure side.
Job 4: API / integration health check. Paste your most critical API endpoints (auth, billing, primary product). Verify each returns 2xx (or expected 401 for auth-required endpoints). Useful as a quick smoke test before a big traffic event (Black Friday, product launch, marketing campaign).
Six questions users ask.
Why do you need a CORS proxy for status checks?
Browser fetch policy blocks reading the response status from cross-origin URLs without explicit CORS cooperation from the target server. Most public sites do not opt-in to this for arbitrary callers, so a direct browser fetch returns an opaque-redirect response with no readable status. We use AllOrigins (api.allorigins.win) — a free public CORS proxy that fetches the URL server-side and returns the result in JSON with the status code exposed. The URL you check is sent to AllOrigins, not stored on our servers.
What status codes does the verdict explain?
Five families. (1) 1xx informational — rare, usually 100 Continue or 103 Early Hints. (2) 2xx success — 200 OK is the universal good response. (3) 3xx redirect — 301 permanent (use for SEO-preserving moves), 302/307 temporary (don't transfer link equity), 308 permanent + preserve method, 304 Not Modified (cache hit). (4) 4xx client error — 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 410 Gone (intentional removal), 429 Too Many Requests. (5) 5xx server error — 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout. The verdict tells you what the code means and the typical action.
Can I check 20 URLs at once?
Yes — paste one URL per line in the textarea. The bulk check runs in parallel through AllOrigins and renders a sorted dashboard with per-URL status, content-type, response time. Fast for catching broken links across a sitemap, validating redirect rules after a deploy, or auditing the response time of multiple endpoints. The 20-URL cap is a courtesy to AllOrigins's free public service.
Why does response time look slower than expected?
The reported response time is the round-trip from your browser → AllOrigins → target server → AllOrigins → your browser. The proxy adds 100-500ms of overhead. For accurate first-byte timing of the target server alone, use curl -w '%{time_starttransfer}' from a machine near the server (or run our Lighthouse Score Checker, which uses Google PageSpeed Insights with proper origin timing). The proxy timing here is good for relative comparison between URLs (which is slower than which), not for absolute first-byte SLA verification.
What if AllOrigins is down or rate-limited?
AllOrigins occasionally throttles or has uptime issues — it's a single-maintainer free service. When that happens, the fetch will fail with a clear error. The fallback is to run curl -I in your terminal and read the status code from the first line: HTTP/2 200, HTTP/1.1 301, etc. For automated production monitoring, use a dedicated uptime-monitor service (UptimeRobot, Better Uptime, Pingdom) — those have proper SLAs and alerting. This tool is for the manual one-off check, not automation.
Is the URL I check sent anywhere?
Yes — the URL is sent to AllOrigins (api.allorigins.win), the public CORS proxy that performs the actual fetch. AllOrigins does not log queries per their stated practice. The URL never passes through Digital Heroes servers. Fetch results are processed in your browser and not stored. The page is static HTML; the only network requests are the initial page load and the AllOrigins fetch when you click Check.
Published .