Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

This week, at long last, GitHub announced granular access tokens for npm. This is a big deal! It's great for security generally, but also particularly useful if you maintain any npm packages, as it removes the main downside of automating npm publishing, by allowing you to give CI jobs only a very limited token instead of full 2FA-free access to you...
As you may have seen, Docker Hub made a dramatic shift in policy this week, and effectively gave a 30 day eviction notice to almost all community-run images. They've now made an apology to 'clarify' a few details, and helpfully take some of the hard edges off, but this still highlights a big problem. Fortunately, there are solutions. As initially d...
HTTP Toolkit has been selected to receive another round of open-source funding from the EU! This aims to improve interception of HTTPS traffic from mobile apps, making it easier for both security/privacy researchers and normal technical users to inspect & manipulate the data that any app they use sends & receives. This funding will directly support...
HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to capture, debug and mock those too. I've been working on expanding HTTP Toolkit's support for this over the past year (as one part of a project funded by EU Horizon's Next Generation Internet initiative), to ext...
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and Ethereum opening up possibilities for a peer-to-peer web - creating applications that live outside the traditional client/server model, where users to interact and control their own data directly. At the same time, ...
WebRTC allows two users on the web to communicate directly, sending real-time streams of video, audio & data peer-to-peer, from within a browser environment. It's exciting tech that's rapidly maturing, already forming the backbone of a huge range of video chat, screen sharing and live collaboration tools, but also as a key technology for decentrali...
Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic. This doesn't appear in the main announcements ...
The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device. This is a privacy problem, which I'm not going to focus o...
I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that works for themselves. There are some great tools to do this, including JADX & Frida, but using these is complicated, and every reverse engineering problem has its own unique challenges & solutions. There's few g...
If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching service is super important. It's also remarkably complicated and confusing. Fortunately, the HTTP working group at the Internet Engineering Task Force (IETF) is working to define new HTTP standards to make this bett...
Through the Next Generation Internet (NGI) initiative, HTTP Toolkit has been selected for funding from the EU's Horizon research & innovation program, to expand beyond HTTP and offer the same interception, debugging & testing functionality for applications built on top of the decentralized web. This is going to be a huge opportunity to invest in ex...
Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request. This is bad! This package is used for PAC file suppor...
Today Node.js announced and released a security fix for CVE-2021-22939, along with two other high severity issues. They've rated this vulnerability as 'low severity', but I think it's worth a closer look, as (imo) this really understates the risk here, and the potentially widespread impact. In practice, this poses a risk to anybody making TLS conne...
There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5). I don't want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems. That is worth ...
I found the problem - I turned it off myself and forgot about it.😐 4 years studying a computer science degree,...
I found the problem - I turned it off myself and forgot about it.😐 4 years studying a computer science degree,...
The ongoing Docker drama left me wanting to control my Docker image hosting, so I went digging into the API tr...
The ongoing Docker drama left me wanting to control my Docker image hosting, so I went digging into the API tr...
New repo: httptoolkit/docker-registry-facade
How to forcibly reset a socket in Node.js?
I'm receiving 'read ECONNRESET' errors from my Node.js application (might be client or server connections, I'm...
Answer by Tim Perry for How to forcibly reset a socket in Node.js?
Update 2023 The linked issue was merged. You can now send RST packages with socket.resetAndDestroy(). const ne...
Invalid refs in OpenAPI spec
Hmmm, yesterday's HTTP Toolkit twitter thread (https://twitter.com/HttpToolkit/status/1633494507323834374)...
Hmmm, yesterday's HTTP Toolkit twitter thread (https://twitter.com/HttpToolkit/status/1633494507323834374)...
Update URLs of VocaDB & VersionEye specs
Remove outdated/duplicate Xero.com Swagger spec
How to get a callback when a custom element *and its children* have been initialized
I'm nesting custom elements. I'd like to have my parent custom element use methods and properties from its chi...
References to existing but null values fail as missing
Support splitting the View page UI horizontally instead of vertically
Could go either way ofc, but given the effect that Valve have had on other Linux tech (esp Wine), the army of ...
Could go either way ofc, but given the effect that Valve have had on other Linux tech (esp Wine), the army of ...
Meanwhile, Ubuntu is dropping Flatpak entirely (https://www.omgubuntu.co.uk/2023/02/ubuntu-flavors-no-flatpak)...
Meanwhile, Ubuntu is dropping Flatpak entirely (https://www.omgubuntu.co.uk/2023/02/ubuntu-flavors-no-flatpak)...
https://boilingsteam.com/steam-deck-first-anniversary-of-the-ultimate-gaming-platform/ is generally interestin...
https://boilingsteam.com/steam-deck-first-anniversary-of-the-ultimate-gaming-platform/ is generally interestin...
Anybody have any experience with Scaleway (http://scaleway.com)?I'm looking at migrating hosting services,...
Anybody have any experience with Scaleway (http://scaleway.com)?I'm looking at migrating hosting services,...
⚠️ Do not commit your life to an open-source project where you will have a terrible time unless you win the lot...
⚠️ Do not commit your life to an open-source project where you will have a terrible time unless you win the lot...
If you bet everything on "I will find a job where an employer will pay me full time just to work on my ow...
If you bet everything on "I will find a job where an employer will pay me full time just to work on my ow...
If you're webpack, this is great, but for ~99% of other projects, core-js included, you'll make pocket...
If you're webpack, this is great, but for ~99% of other projects, core-js included, you'll make pocket...
Meanwhile, if you bet everything on the Open Collective/Tidelift/GitHub sponsors model, that really only works...
Meanwhile, if you bet everything on the Open Collective/Tidelift/GitHub sponsors model, that really only works...
Each option lets you to continue to write FOSS code with your community, but offers a route for some portion t...
Each option lets you to continue to write FOSS code with your community, but offers a route for some portion t...
There is *nothing* wrong with selling advanced access/content/tweaks that 99% of users don't need, to the ...
There is *nothing* wrong with selling advanced access/content/tweaks that 99% of users don't need, to the ...
That deep knowledge of your project especially is super valuable, and unique to you.You have an absolute monop...
That deep knowledge of your project especially is super valuable, and unique to you.You have an absolute monop...
These are all additional work, and success is not guaranteed. Validate demand, like any business idea.That sai...
These are all additional work, and success is not guaranteed. Validate demand, like any business idea.That sai...