Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

Designing API Errors
When everything goes smoothly with an API, life is pretty straightforward: you request a resource, and voilà, you get it. You trigger a procedure, and the API politely informs you it’s all gone to plan. But what happens when something goes pear-shaped? Well, that’s where things can get a bit tricky. HTTP Status Codes HTTP status codes are like a fi...
The Open Source Pledge is a new push to make companies commit to funding the maintainers of the open-source software they depend on, and to publicly recognize the ones that do. HTTP Toolkit has donated back to maintainers for a few years now, but joining the Open Source Pledge today means formally committing to that, and to doing so publicly with a...
As of February 14th 2024, RFC 9512 formally registers application/yaml as the media type for all YAML content, and adds +yaml as a standard structured suffix for all YAML-based more specific media types. With this registration, it's now included in the official media types list maintained by the IANA. Media types like this (also known as the MIME t...
The X-Forwarded-For (XFF) HTTP header provides crucial insight into the origin of web requests. The header works as a mechanism for conveying the original source IP addresses of clients, and not just across one hop, but through chains of multiple intermediaries. This list of IPv4 and IPv6 addresses is helpful to understand where requests have reall...
Idempotency is when doing an operation multiple times is guaranteed to have the same effect as doing it just once. When working with APIs this is exceptionally helpful on slow or unreliable internet connections, or when dealing with particularly sensitive actions such as payments, because it makes retrying operations safe and reliable. This is why ...
It's hard to work on APIs without hearing about OpenAPI. OpenAPI is an API description format, which is essentially metadata that describes an HTTP API: where it lives, how it works, what data is available, and how it's authenticated. Additional keywords can be used to provide all sorts of validation information, adding a type system to what would ...
Everything crashes. Sometimes things crash when they're running inside a Docker container though, and then all of a sudden it can get much more difficult to work out why, or what the hell to do next. Docker's great, but it's an extra layer of complexity that means you can't always easily poke your app up close any more, and that can really hinder d...
A couple of weeks ago I published a post about changes in Android 14 that fundamentally break existing approaches to installing system-level CA certificates, even with root access. This has triggered some fascinating discussion! I highly recommend a skim through the debate on Mastodon and Hacker News. Since that was posted, quite a few people have ...
Update: This post sparked a lot of excellent discussion and debate on workarounds, and there are now multple working solutions to allow certificate injection on Android 14, despite the restrictions discussed here. See the update post for more details. When Android was initially announced in 2007 by the Open Handset Alliance (headed by Google) their...
There's been a lot of concern recently about the Web Environment Integrity proposal, developed by a selection of authors from Google, and apparently being prototyped in Chromium. There's good reason for anger here (though I'm not sure yelling at people on GitHub is necessarily the best outlet). This proposal amounts to attestation on the web, limit...
Caching is hard. Unfortunately though, caching is quite important. Hosted caching & CDNs offer incredible powers that can provide amazing performance boosts, cost savings & downtime protection, essential for most modern sites with any serious volume of users. Unfortunately, while there are strict standards for how caching is supposed to work with H...
This week, at long last, GitHub announced granular access tokens for npm. This is a big deal! It's great for security generally, but also particularly useful if you maintain any npm packages, as it removes the main downside of automating npm publishing, by allowing you to give CI jobs only a very limited token instead of full 2FA-free access to you...
As you may have seen, Docker Hub made a dramatic shift in policy this week, and effectively gave a 30 day eviction notice to almost all community-run images. They've now made an apology to 'clarify' a few details, and helpfully take some of the hard edges off, but this still highlights a big problem. Fortunately, there are solutions. As initially d...
HTTP Toolkit has been selected to receive another round of open-source funding from the EU! This aims to improve interception of HTTPS traffic from mobile apps, making it easier for both security/privacy researchers and normal technical users to inspect & manipulate the data that any app they use sends & receives. This funding will directly support...
Much modern tech heavily undervalues backward compat & associated churn costs.Platforms can fix this (see ...
Much modern tech heavily undervalues backward compat & associated churn costs.Platforms can fix this (see ...
Result: https://github.com/httptoolkit/httptoolkit-android/commit/b9d1e945c986df19c842ab644fb320b3a9a8eaffMinu...
Result: https://github.com/httptoolkit/httptoolkit-android/commit/b9d1e945c986df19c842ab644fb320b3a9a8eaffMinu...
I have really enjoyed most of Kotlin as a language overall (although I much prefer JS's simpler concurrenc...
I have really enjoyed most of Kotlin as a language overall (although I much prefer JS's simpler concurrenc...
People complain about churn in JS land, but my god the web is so lucky to have widespread commitment to backwa...
People complain about churn in JS land, but my god the web is so lucky to have widespread commitment to backwa...
Final answer - https://www.joshwcomeau.com/react/css-in-rsc/ from @joshwcomeau.com seems like the best summary...
Final answer - https://www.joshwcomeau.com/react/css-in-rsc/ from @joshwcomeau.com seems like the best summary...
In fact, doing more digging, the 'Future' section in https://github.com/reactwg/react-18/discussions/1...
In fact, doing more digging, the 'Future' section in https://github.com/reactwg/react-18/discussions/1...
I'm finally looking to migrate away from styled components for the @httptoolkit main app UI (basically a b...
I'm finally looking to migrate away from styled components for the @httptoolkit main app UI (basically a b...
Answer by Tim Perry for How to bypass Root Check with http toolkit
There is no quick answer, but the general solution to this is to modify the app to remove the root check. You ...
I thought npm added some built-in typo blocking a while back, and a one-char difference like mockttp -> moc...
I thought npm added some built-in typo blocking a while back, and a one-char difference like mockttp -> moc...
Been up for 10 days, with under 100 downloads total (and presumably a lot of those are the publishers testing ...
Been up for 10 days, with under 100 downloads total (and presumably a lot of those are the publishers testing ...
This seems like nothing to worry about, looks like it just searches for your crypto details and runs some litt...
This seems like nothing to worry about, looks like it just searches for your crypto details and runs some litt...
Stay safe out there kids - just found out my package Mockttp is being typosquatted by 'mocktp', which ...
Stay safe out there kids - just found out my package Mockttp is being typosquatted by 'mocktp', which ...
https://lagrangepoint.substack.com/p/airpods-hearing-aid-hacking is absolutely awesome.A delightful bit of rev...
https://lagrangepoint.substack.com/p/airpods-hearing-aid-hacking is absolutely awesome.A delightful bit of rev...
Want up to €158,000 in funding to work on open source? https://new.prototypefund.de/en/ is offering €158k over...
Want up to €158,000 in funding to work on open source? https://new.prototypefund.de/en/ is offering €158k over...
Fix local description sdp type
@pimterry For comparison, the cheapest mini PC options are about €220, and pack much less uumpf. Depends on th...
@pimterry For comparison, the cheapest mini PC options are about €220, and pack much less uumpf. Depends on th...
Just committed to a fun project: upgrading my Framework laptop to Ryzen, and turning the leftover old motherbo...
Just committed to a fun project: upgrading my Framework laptop to Ryzen, and turning the leftover old motherbo...
Types aren't exported
This is no problem and easily recognizable of course from what you actually see in CI, which is just the signi...
This is no problem and easily recognizable of course from what you actually see in CI, which is just the signi...
And why is CI broken now?For the HTTP Toolkit desktop app build, seriously 99% of the time, this is the answer...
And why is CI broken now?For the HTTP Toolkit desktop app build, seriously 99% of the time, this is the answer...
New repo: httptoolkit/check-vc-redistributable
@pimterry Being off work on a solo project is challenging and not much discussed in #indiehacker land. But it&...
@pimterry Being off work on a solo project is challenging and not much discussed in #indiehacker land. But it&...
Been off work now for 2 months of paternity leave (👶!) but today's back to the office day.First step, catc...
Been off work now for 2 months of paternity leave (👶!) but today's back to the office day.First step, catc...
In fact, let's ask around:Does anybody have a recommended Mastodon/Bluesky cross-posting solution?#mastodo...
In fact, let's ask around:Does anybody have a recommended Mastodon/Bluesky cross-posting solution?#mastodo...
Answer by Tim Perry for http-toolkit : Connection aborted even though I'm using the security config
This is due to Flutter, which ignores external certificate configuration (on Android and all systems, as far a...