Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device.

This is a privacy problem, which I'm not going to focus o...

I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that works for themselves.

There are some great tools to do this, including JADX & Frida, but using these is complicated, and every reverse engineering problem has its own unique challenges & solutions. The...

If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching service is super important.

It's also remarkably complicated and confusing.

Fortunately, the HTTP working group at the Internet Engineering Task Force (IETF) is working to define new HTTP standards to make this bett...

Through the Next Generation Internet (NGI) initiative, HTTP Toolkit has been selected for funding from the EU's Horizon research & innovation program, to expand beyond HTTP and offer the same interception, debugging & testing functionality for applications built on top of the decentralized web.

This is going to be a huge opportunity to in...

Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request.

This is bad!

This package is used for PAC file suppor...

Today Node.js announced and released a security fix for CVE-2021-22939, along with two other high severity issues. They've rated this vulnerability as 'low severity', but I think it's worth a closer look, as (imo) this really understates the risk here, and the potentially widespread impact.

In practice, this poses a risk to anybody making TLS conne...

There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5).

I don't want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems.

That is worth ...

Once upon a time, loading common scripts & styles from a public CDN like cdnjs or Google's Hosted Libraries was a 'best practice' - a great way to instantly speed up your page loads, optimize caching, and reduce costs.

Nowadays, it's become a recipe for security, privacy & stability problems, with near-zero benefit. Just last week, a secu...

Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests.

This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. It's not a purely theoretical problem either - protections like this attempt to direct...

HTTP content encoding is an incredibly powerful tool that can save you huge amounts of bandwidth and make your web or mobile application faster, basically for free.

Unfortunately, it's poorly understood by most developers. There's a lot of power here, but few people are aware of the options or what "content encoding" really means, so it's mostly le...

HTTP(S) is the glue that binds together modern architectures, passing requests between microservices and connecting web & mobile apps alike to the APIs they depend on.

What if you could embed scripts directly into that glue?

By doing so, you could:

  • Inject errors, timeouts and unusual responses to test system reliability.
  • Record & report ...

Traditionally, a TCP port has a single server listening for incoming connections, and that server expects you to send messages in the right protocol for that port. For HTTP, it's normally a web server that'll send you a response directly, or some kind of proxy that will pass all requests through to another server, and then pass the responses back.


Nothing is ever finished or perfect, and HTTP is no exception.

HTTP SEARCH is a new HTTP method, for safe requests that include a request body. It's still early & evolving, but it was recently adopted as an IETF draft standard, and it's going to add some great new tools for HTTP development everywhere.

What does that mean, why do we need a new...

CORS can be complicated. If you're struggling with it, you might discover the concept of a 'CORS proxy' that promises to solve this, like cors-anywhere or one of the many 'free CORS proxy' hosted services.

CORS proxies let you bypass the security restrictions that CORS applies, with just a tiny change of URL.

That feels convenient, but turning off ...

The proxy configuration on iOS is actually specifically for HTTP proxies.

It does not mean that all network traffic is sent via the proxy - only HTTP traffic, like the traffic used to load websites in Safari. Whatsapp's protocol is not standard HTTP (it seems like it uses a variant of XMPP) and so in their app they will be using APIs that do not ta...

Fix error types for TextDecoder
Yes - if the path is relative (if it starts with a slash, not with http://...) then to get the full URL you should put the hostname in front.

I am confused about this as how am I seeing a response without sending a request?

A request consists of a few things:

  • Always: an HTTP method (GET, POST, or similar)
  • Always: a path (/document/123)
  • Optional: any number of HTTP headers (my-header: abc)
  • Optional: a request body

A response consists of:

  • Always: an HTTP status (404)
  • Always (in HTTP/1...
You don't need to subscribe - HTTP Toolkit is free for all simple functionality like intercepting, viewing and breakpointing all JVM traffic. Pro is only required for advanced automated rewriting rules, import/export, and so on.
I put in all those days of research, crafting perfect blog posts and endlessly tweaking titles to get them juuuust… https://twitter.com/i/web/status/1472930230687907840
WIP: Fix the Docker build, which is broken by missing S3 buckets
Can you explain what you mean by "this tool is inconvenient for me because there are many emulators"?
Allow configuring the listen address for each inner DNS server
Default to IPv4 localhost for Node 17 compatibility
Fix minor typo in the README
Handle & report server request errors as 'requestError' events
Oooooh, fancy new page title for unfocused GitHub tabs just dropped: https://t.co/qS27tZCz9I
This tweet now adapted into a thrilling blog post, for those who want the full gory details: https://httptoolkit.tech/blog/tls-fingerprinting-node-js/ https://twitter.com/pimterry/status/1466428395571589135
The amazing @shroudedcode has pointed me to the first example of TLS fingerprint validation (… https://twitter.com/i/web/status/1466428395571589135
Tis the season of @24PullRequests! I'm going to try to make an open-source contribution (and share it in this thre… https://twitter.com/i/web/status/1466107300599504898
I've been finding a world of interesting tidbits nestled inside each other as I dig into the internals of IPFS rece… https://twitter.com/i/web/status/1465486964023603202
Excited for this! 🎅🎄🎁 Is it really even Christmas if you haven't created the traditional 24 PRs for your favourit… https://twitter.com/i/web/status/1464567010851971079
Starting to make real progress on adding IPFS support to HTTP Toolkit and Mockttp! (Context:… https://twitter.com/i/web/status/1463574305694965767
Ah, the simple joy of publishing a new message out to the mailing list, brimming with exciting updates... Amazing… https://twitter.com/i/web/status/1463150598346481673
Just published another new instalment, fresh from my favourite content production process: "if 3+ people email you… https://twitter.com/i/web/status/1462793763848437767
Shipped the first public release of automatic Docker container interception to HTTP Toolkit's alpha testers today 😊… https://twitter.com/i/web/status/1458852079561285648