Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

As of February 14th 2024, RFC 9512 formally registers application/yaml as the media type for all YAML content, and adds +yaml as a standard structured suffix for all YAML-based more specific media types. With this registration, it's now included in the official media types list maintained by the IANA. Media types like this (also known as the MIME t...
The X-Forwarded-For (XFF) HTTP header provides crucial insight into the origin of web requests. The header works as a mechanism for conveying the original source IP addresses of clients, and not just across one hop, but through chains of multiple intermediaries. This list of IPv4 and IPv6 addresses is helpful to understand where requests have reall...
Idempotency is when doing an operation multiple times is guaranteed to have the same effect as doing it just once. When working with APIs this is exceptionally helpful on slow or unreliable internet connections, or when dealing with particularly sensitive actions such as payments, because it makes retrying operations safe and reliable. This is why ...
It's hard to work on APIs without hearing about OpenAPI. OpenAPI is an API description format, which is essentially metadata that describes an HTTP API: where it lives, how it works, what data is available, and how it's authenticated. Additional keywords can be used to provide all sorts of validation information, adding a type system to what would ...
Everything crashes. Sometimes things crash when they're running inside a Docker container though, and then all of a sudden it can get much more difficult to work out why, or what the hell to do next. Docker's great, but it's an extra layer of complexity that means you can't always easily poke your app up close any more, and that can really hinder d...
A couple of weeks ago I published a post about changes in Android 14 that fundamentally break existing approaches to installing system-level CA certificates, even with root access. This has triggered some fascinating discussion! I highly recommend a skim through the debate on Mastodon and Hacker News. Since that was posted, quite a few people have ...
Update: This post sparked a lot of excellent discussion and debate on workarounds, and there are now multple working solutions to allow certificate injection on Android 14, despite the restrictions discussed here. See the update post for more details. When Android was initially announced in 2007 by the Open Handset Alliance (headed by Google) their...
There's been a lot of concern recently about the Web Environment Integrity proposal, developed by a selection of authors from Google, and apparently being prototyped in Chromium. There's good reason for anger here (though I'm not sure yelling at people on GitHub is necessarily the best outlet). This proposal amounts to attestation on the web, limit...
Caching is hard. Unfortunately though, caching is quite important. Hosted caching & CDNs offer incredible powers that can provide amazing performance boosts, cost savings & downtime protection, essential for most modern sites with any serious volume of users. Unfortunately, while there are strict standards for how caching is supposed to work with H...
This week, at long last, GitHub announced granular access tokens for npm. This is a big deal! It's great for security generally, but also particularly useful if you maintain any npm packages, as it removes the main downside of automating npm publishing, by allowing you to give CI jobs only a very limited token instead of full 2FA-free access to you...
As you may have seen, Docker Hub made a dramatic shift in policy this week, and effectively gave a 30 day eviction notice to almost all community-run images. They've now made an apology to 'clarify' a few details, and helpfully take some of the hard edges off, but this still highlights a big problem. Fortunately, there are solutions. As initially d...
HTTP Toolkit has been selected to receive another round of open-source funding from the EU! This aims to improve interception of HTTPS traffic from mobile apps, making it easier for both security/privacy researchers and normal technical users to inspect & manipulate the data that any app they use sends & receives. This funding will directly support...
HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to capture, debug and mock those too. I've been working on expanding HTTP Toolkit's support for this over the past year (as one part of a project funded by EU Horizon's Next Generation Internet initiative), to ext...
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and Ethereum opening up possibilities for a peer-to-peer web - creating applications that live outside the traditional client/server model, where users to interact and control their own data directly. At the same time, ...
Answer by Tim Perry for Is there a way to get the device name using adb? For example, if the device name is John Doe's Nexus, how to get the name using a command?
It's not totally clear, but you may be looking for the user-editable 'device name' (in the settings, under 'Ab...
Answer by Tim Perry for stop Charles from tracking my app's requests without SSL Pinning in iOS
No - there's no way to do this, and actually even SSL pinning cannot guarantee this. More generally: it is imp...
A new testimonial for httptoolkit.com that I'm very very pleased with indeed.Kind words notably coming fro...
A new testimonial for httptoolkit.com that I'm very very pleased with indeed.Kind words notably coming fro...
Answer by Tim Perry for local docker interception, HTTP, doesn't intercept or CORS
HTTP Toolkit (and all similar tools) act as HTTP proxies. That means that to intercept traffic using them, you...
New repo: httptoolkit/usbmux-client
🥳
🥳
Spent some of the weekend playing with Arduinos + Home Assistant (@homeassistant) to keep a better eye on my p...
Spent some of the weekend playing with Arduinos + Home Assistant (@homeassistant) to keep a better eye on my p...
Comment by Tim Perry on How to correctly trace all outboud Node.js request on server apps with Express
You can intercept, fully view & manually modify all traffic from all sources in the free version. If you find ...
Answer by Tim Perry for How to correctly trace all outboud Node.js request on server apps with Express
Node.js ignores proxy settings by default, unlike many languages (see https://github.com/nodejs/node/issues/83...
A user has triggered a minor meltdown by emailing a template GDPR right to be forgotten email to me and the su...
A user has triggered a minor meltdown by emailing a template GDPR right to be forgotten email to me and the su...
Node v22 is out today (https://github.com/nodejs/node/releases/tag/v22.0.0) and it's a biggie:- Support fo...
Node v22 is out today (https://github.com/nodejs/node/releases/tag/v22.0.0) and it's a biggie:- Support fo...
Comment by Tim Perry on HTTP Toolkit interception with Android emulator interfering: app not working when enabled
in fact, I see you're at UAB - I'm in Barcelona too! In Gracia. Do you want to come show me the problem some t...
Comment by Tim Perry on HTTP Toolkit interception with Android emulator interfering: app not working when enabled
No, nothing else should be required on the emulator in general. What's shown in HTTP Toolkit on your computer?...
I've been nominated to join the Node.js core collaborators team! ☺️https://github.com/nodejs/node/issues/52...
I've been nominated to join the Node.js core collaborators team! ☺️https://github.com/nodejs/node/issues/52...
Comment by Tim Perry on Capture https traffic of android application with certificate pinning
If you remove scripts from the command line one by one, can you work out which script is causing this issue? Y...
And merged 🚀Still terrifying. 30-odd lines of code running in every OpenSSL TLS handshake makes this very like...
And merged 🚀Still terrifying. 30-odd lines of code running in every OpenSSL TLS handshake makes this very like...
Further updates required very significantly more relearning of perl than I expected (to read some remarkably c...
Further updates required very significantly more relearning of perl than I expected (to read some remarkably c...
Just a casual PR changing the logic used by all modern OpenSSL TLS connections everywhere, no biggie 😬 https:/...
Just a casual PR changing the logic used by all modern OpenSSL TLS connections everywhere, no biggie 😬 https:/...
(Looking at https://github.com/openssl/openssl/issues/19220 specifically - help from anybody else interested i...
(Looking at https://github.com/openssl/openssl/issues/19220 specifically - help from anybody else interested i...
This is definitely going to end well
This is definitely going to end well
I do really enjoy the way some user feedback (https://github.com/httptoolkit/httptoolkit/issues/579) leads me ...
I do really enjoy the way some user feedback (https://github.com/httptoolkit/httptoolkit/issues/579) leads me ...
Testing out the HTTP Toolkit app on a teeny weeny screens, and it turns out Android Studio has a Nexus One mod...
Testing out the HTTP Toolkit app on a teeny weeny screens, and it turns out Android Studio has a Nexus One mod...
Comment by Tim Perry on HTTP Toolkit interception with Android emulator interfering: app not working when enabled
How long have you had HTTP Toolkit open? If you haven't completely restarted the app in many days, it's possib...
Also gives me two small very accessible Docker hosts that I can run more services for myself on top!So far loo...
Also gives me two small very accessible Docker hosts that I can run more services for myself on top!So far loo...