I built a minimal HTTP debugging tool that echoes back request metadata. It’s like httpbin.org but self-hosted on Vercel with built-in safety measures for production use.

Demo: request-echoer.vercel.app
Source: github.com/brianhliou/request-echoer

Request Echoer UI showing echoed request metadata

Why build this?

  • Verify what your frontend actually sends (headers, query params, payloads).
  • Debug fetch or curl without third-party services.
  • Learn how to wire up Vercel Edge Functions + static UI.
  • Practice adding basic hardening (redacting secrets, truncating large bodies, strict CORS).

How it works

  • UI: A single index.html lets you choose method, query string, headers, and body.
  • Backend: /api/echo is an Edge Function that parses the request and returns JSON.
  • Security:
    • Redacts sensitive headers (authorization, cookies, API keys).
    • Removes IP/geo and Vercel-specific tokens.
    • Truncates request bodies over 100 KB.
    • Enforces an allowlist for CORS.
    • Adds default CSP, Referrer-Policy, and MIME-sniffing protections.

The result is a stateless debugging tool: nothing stored, everything echoed right back.

Example

Run:

curl -s -X POST https://request-echoer.vercel.app/api/echo \
  -H 'Content-Type: application/json' \
  -d '{"hello":"world"}' | jq

Response (simplified):

{
  "method": "POST",
  "path": "/api/echo",
  "headers": {
    "content-type": "application/json",
    "user-agent": "curl/8.4.0"
  },
  "body": { "hello": "world" }
}

Running locally

Clone the repo and run:

npm install
npx vercel dev

Then open http://localhost:3000 in a browser and test the UI.

Deploying to Vercel

  1. Import the repo into Vercel (Framework Preset: Other).
  2. Set ALLOW_ORIGINS in Environment Variables to the domains you trust (comma-separated list, e.g., https://request-echoer.vercel.app,https://localhost:3000).
  3. Deploy — you’ll get a live subdomain like https://request-echoer.vercel.app/.

Lessons learned

  • Serverless is fast to bootstrap: one static file + one function is enough.
  • Echo servers can leak data: OIDC tokens, IP geo, and tracing IDs appear in headers by default. Redaction is essential.
  • CORS discipline matters: never respond with * if you care about safety.
  • Minimal ≠ careless: even toy apps should apply basic hygiene so you don’t accidentally leak secrets.

This project started as a learning exercise and ended up as a handy utility. Feel free to fork it, improve the UI, or extend the backend to act more like a mini-httpbin.