Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

It's hard to work on APIs without hearing about OpenAPI. OpenAPI is an API description format, which is essentially metadata that describes an HTTP API: where it lives, how it works, what data is available, and how it's authenticated. Additional keywords can be used to provide all sorts of validation information, adding a type system to what would ...
Everything crashes. Sometimes things crash when they're running inside a Docker container though, and then all of a sudden it can get much more difficult to work out why, or what the hell to do next. Docker's great, but it's an extra layer of complexity that means you can't always easily poke your app up close any more, and that can really hinder d...
A couple of weeks ago I published a post about changes in Android 14 that fundamentally break existing approaches to installing system-level CA certificates, even with root access. This has triggered some fascinating discussion! I highly recommend a skim through the debate on Mastodon and Hacker News. Since that was posted, quite a few people have ...
Update: This post sparked a lot of excellent discussion and debate on workarounds, and there are now multple working solutions to allow certificate injection on Android 14, despite the restrictions discussed here. See the update post for more details. When Android was initially announced in 2007 by the Open Handset Alliance (headed by Google) their...
There's been a lot of concern recently about the Web Environment Integrity proposal, developed by a selection of authors from Google, and apparently being prototyped in Chromium. There's good reason for anger here (though I'm not sure yelling at people on GitHub is necessarily the best outlet). This proposal amounts to attestation on the web, limit...
Caching is hard. Unfortunately though, caching is quite important. Hosted caching & CDNs offer incredible powers that can provide amazing performance boosts, cost savings & downtime protection, essential for most modern sites with any serious volume of users. Unfortunately, while there are strict standards for how caching is supposed to work with H...
This week, at long last, GitHub announced granular access tokens for npm. This is a big deal! It's great for security generally, but also particularly useful if you maintain any npm packages, as it removes the main downside of automating npm publishing, by allowing you to give CI jobs only a very limited token instead of full 2FA-free access to you...
As you may have seen, Docker Hub made a dramatic shift in policy this week, and effectively gave a 30 day eviction notice to almost all community-run images. They've now made an apology to 'clarify' a few details, and helpfully take some of the hard edges off, but this still highlights a big problem. Fortunately, there are solutions. As initially d...
HTTP Toolkit has been selected to receive another round of open-source funding from the EU! This aims to improve interception of HTTPS traffic from mobile apps, making it easier for both security/privacy researchers and normal technical users to inspect & manipulate the data that any app they use sends & receives. This funding will directly support...
HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to capture, debug and mock those too. I've been working on expanding HTTP Toolkit's support for this over the past year (as one part of a project funded by EU Horizon's Next Generation Internet initiative), to ext...
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and Ethereum opening up possibilities for a peer-to-peer web - creating applications that live outside the traditional client/server model, where users to interact and control their own data directly. At the same time, ...
WebRTC allows two users on the web to communicate directly, sending real-time streams of video, audio & data peer-to-peer, from within a browser environment. It's exciting tech that's rapidly maturing, already forming the backbone of a huge range of video chat, screen sharing and live collaboration tools, but also as a key technology for decentrali...
Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic. This doesn't appear in the main announcements ...
The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device. This is a privacy problem, which I'm not going to focus o...
Add an asset entry point
https://blog.postman.com/download-mobile-game-postman-api-first-journey/*Blinking*I... I really don't know...
https://blog.postman.com/download-mobile-game-postman-api-first-journey/*Blinking*I... I really don't know...
Add HTTP Toolkit deal
Add HTTP Toolkit deal
Feedback
Allow intercepting incoming traffic, acting as a reverse proxy
Guess I can probably delete this then 😂
Guess I can probably delete this then 😂
https://tuta.com/blog/chat-control is really fantastic news. Great not just to see sanity prevail over #ChatCo...
https://tuta.com/blog/chat-control is really fantastic news. Great not just to see sanity prevail over #ChatCo...
Interception issue with no traffic collected
Allow interception of a single target desktop app
Answer by Tim Perry for Why does repeating intercepted API calls in Charles Proxy work, but exporting them as a cURL and running them fails?
It's hard to know without being able to see the specific code, but one possibility is TLS fingerprinting. I've...
Efficient way to get a class reference from a given instance
Handle VPN detection
Answer by Tim Perry for How can I see the entire HTTP request that's being sent by my Python application?
You can use HTTP Toolkit to do exactly this. It's especially useful if you need to do this quickly, with no co...
Manual iOS interception issues
Allow importing Charles CHLS and CHLSJ files
Disable ESLint error in test TS type code
Convert H2 headers to H1 if required in auto()
Achievement unlocked: digging into HTTP Toolkit's source code & reproducing interception techniques is...
Achievement unlocked: digging into HTTP Toolkit's source code & reproducing interception techniques is...
New repo: httptoolkit/ios-ssl-pinning-demo
In the coming months, this will go further, and eventually be fully integrated into https://httptoolkit.com fo...
In the coming months, this will go further, and eventually be fully integrated into https://httptoolkit.com fo...
A huge thank you here must go to @NGIZero (https://nlnet.nl)! 🙏They're funding this research, as part of t...
A huge thank you here must go to @NGIZero (https://nlnet.nl)! 🙏They're funding this research, as part of t...
This is Android-only for now, but an iOS equivalent is coming too very shortly - keep an eye on that Frida scr...
This is Android-only for now, but an iOS equivalent is coming too very shortly - keep an eye on that Frida scr...