Free HAR File Analyzer

Drop a .har file from your browser DevTools. The first thing you see is a Verdict written in plain English: what we observed, what it means, what to do. Below it, every signal is broken out separately: blocks (Forcepoint, Zscaler, BlueCoat, Cloudflare WAF, and more), root-cause groups, JWT and cookie integrity, CORS preflight failures, sensitive data leaks (tokens in URLs, AWS keys in bodies, SSNs, credit cards), third-party impact scorecard, Web Vitals approximation, bot patterns, service worker activity, cache, compression, and the usual waterfall. There is also a Compare mode that diffs a 'before' and 'after' HAR. Everything runs in your browser; no upload.

How to capture a HAR file: open the page, press F12 to open DevTools, go to the Network tab, refresh, then right-click any row and choose "Save all as HAR with content". Capture with content to enable block-page detection and response-body scanning. HAR files often contain auth cookies, so keep them private. Files are parsed in your browser only.

How to use

  1. 01In Chrome, Firefox, or Edge press F12 to open DevTools, switch to the Network tab, make sure recording is on, and refresh the page.
  2. 02Right-click any row and choose "Save all as HAR with content". The "with content" part is required for block-page detection and sensitive-data scanning, since they read response bodies.
  3. 03Drop the .har into the tool. The Verdict at the top tells you what is wrong in a few sentences plus a short list of findings, each with what we saw, what it means, and how to fix it.
  4. 04Read the sections below the verdict in order. Root causes group many failed requests under one underlying problem. Auth, CORS, and Leaks sections are highest-signal for security engineers.
  5. 05For Compare mode, switch to "Compare two" and upload a "before" and "after" HAR of the same page. The tool ignores cache-buster query params when pairing requests and highlights status flips, slowdowns, size changes, new requests, and removed requests.

FAQ

What is in the Verdict at the top?

A short paragraph plus a few findings. Each finding has three lines: What we saw (the raw observation), What it means (plain-English interpretation), What to do (a concrete next step). Findings are ordered most to least important. Items the verdict does not surface still appear in the detailed sections below.

How does the block detection work?

Each response is checked against vendor signatures in three places: response headers (e.g. Via: 1.1 hosted.websense or cf-mitigated for Cloudflare WAF), the redirect target URL (e.g. block.zscaler.net), and the first 8 KB of the response body for vendor strings ("Cloudflare Ray ID", "your organization has blocked", etc.). Detected vendors include Forcepoint, Zscaler, Symantec BlueCoat, McAfee, Squid, Cisco Umbrella, Check Point, Palo Alto, Sophos, Fortinet, Cloudflare WAF, AWS WAF, Akamai, and Imperva.

What does the auth and cookies section detect?

JWTs in Authorization Bearer headers are decoded and checked for expiry. Tokens that have already expired or expire within 60 seconds are flagged. Set-Cookie attributes are inspected for missing Secure, missing HttpOnly on auth-shaped cookies, and SameSite=None without Secure (which modern browsers silently drop). The tool also detects Authorization headers being sent to a host different from your primary origin (a common cause of accidental token leakage to third parties) and infers a broken auth chain when a token-refresh endpoint failed and many 401s followed.

What is the CORS preflight tracer?

For each OPTIONS preflight, the tool compares Access-Control-Request-Method and Access-Control-Request-Headers against the response Access-Control-Allow-* headers. If the preflight returned 4xx or the allow set does not cover what the browser asked for, the tool prints the exact problem and the one-line server-side fix (e.g. "Add x-custom to Access-Control-Allow-Headers").

What does the sensitive data leak detector look for?

Tokens, API keys, JWTs, and session IDs in URL query strings; JWTs leaking via Referer headers; Authorization headers sent cross-origin; AWS access key IDs (AKIA pattern) in response bodies; Luhn-valid credit card numbers; US-style SSN patterns; private internal hostnames (10.x, 192.168.x, 172.16-31.x, localhost) in bodies; and email addresses embedded in URLs. Each finding shows a redacted snippet and a concrete fix. Detected items contribute to a privacy grade A-F so the page has a single quick signal of overall PII hygiene.

How are root causes inferred?

The tool looks for patterns that explain many failures with one underlying cause. Examples: a refresh endpoint that failed with 5xx followed by a string of 401s (auth chain broken); a single host returning 5xx on every request (host-wide outage); a single slow JS bundle followed by many late-starting XHRs (bundle blocked dependent calls); a CDN cache-status MISS or EXPIRED on many static assets (cold cache); 3+ failing CORS preflights (single config bug). Each root cause replaces what would otherwise be many noisy individual entries.

How accurate is the Web Vitals approximation?

Real Web Vitals (LCP, FCP, TTFB, INP, CLS) are reported by the browser via PerformanceObserver. HAR only contains network request timings, so the approximation is best-effort. TTFB is measurable directly. FCP estimate is end-of-document plus end-of-render-blocking CSS, which is a lower bound on real FCP. LCP candidate is the largest image or video that finished within the first 5 seconds, which is often but not always the real LCP element. Use these as a sanity check, not a replacement for Lighthouse or RUM.

What does Compare mode do?

Upload a "before" and "after" HAR of the same page. Each request is paired by method + URL with cache-buster query params (t, ts, _, cb, v, version, etc.) ignored, so a fingerprinted asset still pairs across deploys. The diff lists which requests are added, removed, or changed (status flip, slower or faster, larger or smaller). The header card surfaces total bytes delta, total time delta, status flips that broke things that were working, and status flips that fixed things that were broken. Useful for "it was fast yesterday" or "this deploy made the page heavier".

Are HAR files safe to share?

They include request and response headers, which usually means cookies and Authorization tokens. Anyone with the HAR can replay your authenticated requests until those tokens expire. Strip cookies before sharing externally, or share only with trusted parties. The tool itself parses everything in your browser; nothing is uploaded.

Why is the body content sometimes empty?

HAR exports default to "without content" in some tools to keep file size down. Block-page detection and sensitive-data scanning need response bodies, so always export "with content" if you want full analysis.

More in Network & Security

📜Log Analyzer📡PCAP Analyzer🛰️HTTP Headers Inspector🧮CIDR / Subnet Calculator🌍DNS Records Lookup📧Email Header Analyzer