Skip to content
What Is My IP
Browser Privacy Check
WebRTC Leak Test
DNS Lookup
Email Auth
Port Scanner
IPv6 Readiness
Reverse DNS
Resolver Compare
SSL Checker
HTTP Headers
WHOIS Lookup
Redirect Checker
CAA Checker
DNSSEC Check
Website Status
Is It Down?
Site Speed
HTTP Ping
Subnet Calculator
IP Address Converter
Password Strength Checker
JWT Decoder
URL Parser

About

Browser-side · queries to public APIs

About PingThat

Last updated: 2026-05-26

What this is

PingThat is a suite of 23 free network and security tools — DNS lookups, WHOIS, SSL certificate inspection, HTTP headers, JWT decoder, subnet calculator, port scan, redirect tracing and a handful of privacy checks. Some tools run entirely in your browser; others necessarily query DNS or fetch a remote host and therefore need network access (your browser's, or a small backend acting on your behalf). The next section spells out exactly which tool does which — no hand-waving claims about "everything happens locally" when a DNS query obviously cannot.

Where each tool runs

PingThat tools fall into five execution buckets. We name them up front because the privacy implications differ:

  • Pure client (5 tools) — no network call at all. Everything happens in your browser tab.
    subnet-calculator, ip-converter, password-strength, jwt-decoder, url-parser
  • Browser → public STUN server (2 tools) — the WebRTC leak and privacy checks open an RTCPeerConnection against Google's public STUN endpoint (stun.l.google.com:19302) to gather ICE candidates. Surfacing what your browser reveals to a STUN server is the entire point of the test — without the STUN query there is nothing to detect. No application data is sent, only standard ICE-gathering UDP packets.
    webrtc-leak-test, privacy-check
  • Browser → Cloudflare DNS-over-HTTPS (5 tools) — your browser sends a DoH query to cloudflare-dns.com/dns-query. The query goes from your IP to Cloudflare, not through a PingThat server. We never see the lookup.
    dns-lookup, reverse-dns, caa-lookup, dnssec-check, ipv6-check
  • Browser → third-party HTTP probe (1 tool)my-ip fetches from ipapi.co and api.ipify.org to identify your public IP plus a few geo/ISP fields. The HTTP request goes from your browser directly to those endpoints (no PingThat proxy), but the data flow is to a different service than the DoH bucket above. Listed separately so the privacy distinction is explicit.
    my-ip
  • Through a PingThat backend (10 tools) — a small Cloudflare Worker function does the network work on your behalf. We need a backend when the operation cannot run in a browser sandbox (raw TCP for port-scan, SSL handshake, WHOIS protocol, server-side timing of an HTTP fetch). The Worker receives the target hostname/IP from you, runs the query, returns the result, and does not log inputs. The full list of endpoints lives at functions/api/ in the open repository.
    whois-lookup, ssl-checker, port-scan, http-headers, site-speed, email-auth, redirect-checker, resolver-compare, is-it-down, is-it-up

For tools in the fifth bucket, the target you type does leave your device — that is the entire point of the tool. If that is a deal-breaker, stick to the first four buckets or run the equivalent CLI locally (dig, openssl s_client, whois).

Data sources and third-party services

Tools that query the network rely on the following upstream services:

  • Cloudflare DNS-over-HTTPS (1.1.1.1) — for all DNS-related lookups (A/AAAA/MX/TXT/CAA/DNSSEC/PTR). Browser queries DoH directly, no PingThat proxy in the path.
  • Multiple public DNS resolversresolver-compare queries Cloudflare, Google (8.8.8.8), Quad9 (9.9.9.9) and OpenDNS in parallel to surface inconsistencies. The list and current responses are visible in the tool output.
  • WHOIS protocol (port 43) and RDAPwhois-lookup queries the appropriate registry server based on TLD. Backend Worker handles the protocol since browsers cannot speak raw WHOIS.
  • Direct TCP/TLS to the target hostssl-checker, port-scan, http-headers, site-speed, is-it-down/is-it-up, redirect-checker all connect to the host you specify. The Worker is the requesting party from the target's perspective.
  • No paid commercial APIs — no shodan.io, censys.io, maxmind, ipinfo.io or similar enrichment services are in the request path. If a tool ever needs one of those, it will be disclosed here first.

Accuracy, caching and rate limits

The backend Worker applies short-TTL caching (typically 30–60 seconds) to reduce upstream load and absorb refresh-button bursts. That means a result you see at second t may match a query made at t − 30s, which matters for tools probing a host you are actively troubleshooting. Force a fresh query by adding a cache-busting query parameter or waiting a minute.

PingThat does not impose a per-user rate limit beyond what Cloudflare's edge applies to abusive traffic patterns. Upstream services may rate-limit independently (WHOIS registries are notoriously strict — typically 1 query per second per source IP, and the Worker's IP is shared across all PingThat users, so heavy WHOIS use can occasionally hit a registry-side throttle). When that happens the tool surfaces the error verbatim rather than masking it as a success.

Numbers PingThat reports come straight from the upstream protocols and are as accurate as the source: SSL certificate dates from the certificate itself, DNS TTLs from the authoritative answer, HTTP timing from the Worker's clock. We do not adjust, average or smooth values.

Why it exists

Most network-tool sites online today follow the same pattern: a slow page filled with intrusive ads, a paywall hiding the actually useful features, a forced signup, and they keep query logs that are then sold or queried later. After running into one too many of those, the operator (an independent developer based in Spain) started building self-contained alternatives one tool at a time. PingThat is the result for the network category.

The design philosophy: every tool that can technically run client-side must run client-side. Where a backend is unavoidable (TCP, WHOIS, raw HTTP timing), it is a thin Worker that does not log queries. If a feature genuinely needs a paid third-party API, that is documented up front and an alternative is offered.

How it is funded

PingThat is free, with no signup, no premium tier and no upsell. The site is funded by display ads (Google AdSense) shown around the tools, and by occasional Buy Me a Coffee tips from people who liked the result and wanted to say thanks.

This means the site is sustainable without harvesting your queries, gating tools behind a paywall, or pushing you toward a desktop app. If you find one of the tools genuinely useful and want to support continued development, the Buy Me a Coffee link in the footer is the most direct way.

Who is behind it

PingThat is built and maintained by Marco B., an independent developer based in Spain. The site is part of a small portfolio of utility web apps (CompoundVision for finance, AllYouNeed for general tools, JSONCraft for developers, OpenImages for image work, OpenPDF for PDFs, PingThat for networking). Each one shares the same private-by-default design.

If you would like to talk to a human about a tool, a bug or a feature you wish existed, the Contact page has a feedback form that lands in the operator's inbox within a few hours during EU working days.

Editorial independence

The advertising network (Google AdSense) does not influence which tools are built or how they work. There are no sponsored articles, no "best of" lists pushing affiliate links, no referral kickbacks for VPN or hosting recommendations, and no editorial choices made to favour an advertiser. If a tool exists on the site, it is because it was useful enough to the operator to build and ship it.

By ·