online / endpoints 139 / categories 19 / rate 60/min/ip /
catastrophic.io
hub · tools

Tools

What your client looks like to a server, before you point it at the chaos.

Before you point your client at /json or /retry-mismatch to see how it copes with adversity, it’s worth knowing what your client actually looks like to a server. These endpoints don’t misbehave — they’re the baseline you’re testing against.

Every endpoint here is dual-mode: JSON by default, rendered HTML when the client sends Accept: text/html (which browsers always do). curl gets the raw JSON; the browser gets a styled table of the same data. The HTML version is undocumented surface — there’s no OpenAPI entry and no catalog listing. They’re tools, not features.

Server-observed

What the server knows about your client from the request itself. Server-observed data is populated by the edge — no third-party API is called, and nothing is logged or retained.

/ip

Your IP address as the server sees it, enriched with geo (continent, country, region, city, postal code, lat/lon, timezone, metro code) and network (ASN, AS organization, edge colo). Plus the CF-Ray request ID for log correlation.

/headers

Every HTTP request header that arrived at the server, including the CF-* headers the edge adds on the way in.

/connection

Protocol and edge-network metadata for the connection between your client and the edge: HTTP version, TLS version and cipher, client TCP round-trip time, edge colo, and the CF-Ray. JA3/JA4 TLS fingerprints are included when Bot Management is available.

/locale

Parsed Accept-Language header (quality-sorted) combined with server-side geolocation to produce a suggested BCP-47 locale tag. Useful for testing locale-detection logic in your own apps without rolling the same parser yourself.

/encoding

Original Accept-Encoding your client sent vs. what the edge sees after the edge has normalized it, with a per-encoding diff. Diagnose Brotli/gzip/zstd negotiation issues.

Client-introspected

What your browser leaks to JavaScript without asking permission. Client-introspected data runs entirely in your browser — nothing on these pages is sent anywhere.

/fingerprint

Passive probes (canvas hash, WebGL vendor/renderer, audio fingerprint, font detection, UA Client Hints, network info, storage, hardware, display, locale) plus two opt-in active probes (WebRTC LAN-IP via public STUN, permissions inventory).

/profile

Everything above in one page: the server-observed sections render first, the client-side probes append below, and the copy-as-JSON button combines both. The curl version returns just the server-observed aggregate.