Fetch with custom headers → render HTML via iframe srcdocUseful for WAF allow/deny tests
Request Builder
CORS: unknown
Tip: for JSON body, set a header like Content-Type: application/json.
Note: browsers block some headers (e.g. Host, Origin, Referer, User-Agent). Custom headers like
X-* are fine.
If the preview shows a CORS error, you’ll need to run this through a tiny same-origin proxy (I can give you a
single-file PHP proxy for PPTMSTR or an Unraid container option).