Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic.

This doesn't appear in the main announcem...

The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device.

This is a privacy problem, which I'm not going to focus o...

I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that works for themselves.

There are some great tools to do this, including JADX & Frida, but using these is complicated, and every reverse engineering problem has its own unique challenges & solutions. The...

If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching service is super important.

It's also remarkably complicated and confusing.

Fortunately, the HTTP working group at the Internet Engineering Task Force (IETF) is working to define new HTTP standards to make this bett...

Through the Next Generation Internet (NGI) initiative, HTTP Toolkit has been selected for funding from the EU's Horizon research & innovation program, to expand beyond HTTP and offer the same interception, debugging & testing functionality for applications built on top of the decentralized web.

This is going to be a huge opportunity to in...

Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request.

This is bad!

This package is used for PAC file suppor...

Today Node.js announced and released a security fix for CVE-2021-22939, along with two other high severity issues. They've rated this vulnerability as 'low severity', but I think it's worth a closer look, as (imo) this really understates the risk here, and the potentially widespread impact.

In practice, this poses a risk to anybody making TLS conne...

There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5).

I don't want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems.

That is worth ...

Once upon a time, loading common scripts & styles from a public CDN like cdnjs or Google's Hosted Libraries was a 'best practice' - a great way to instantly speed up your page loads, optimize caching, and reduce costs.

Nowadays, it's become a recipe for security, privacy & stability problems, with near-zero benefit. Just last week, a secu...

Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests.

This is problematic for security research, privacy analysis and debugging, and for control over your own device in general. It's not a purely theoretical problem either - protections like this attempt to direct...

HTTP content encoding is an incredibly powerful tool that can save you huge amounts of bandwidth and make your web or mobile application faster, basically for free.

Unfortunately, it's poorly understood by most developers. There's a lot of power here, but few people are aware of the options or what "content encoding" really means, so it's mostly le...

HTTP(S) is the glue that binds together modern architectures, passing requests between microservices and connecting web & mobile apps alike to the APIs they depend on.

What if you could embed scripts directly into that glue?

By doing so, you could:

  • Inject errors, timeouts and unusual responses to test system reliability.
  • Record & report ...

Traditionally, a TCP port has a single server listening for incoming connections, and that server expects you to send messages in the right protocol for that port. For HTTP, it's normally a web server that'll send you a response directly, or some kind of proxy that will pass all requests through to another server, and then pass the responses back.


Nothing is ever finished or perfect, and HTTP is no exception.

HTTP SEARCH is a new HTTP method, for safe requests that include a request body. It's still early & evolving, but it was recently adopted as an IETF draft standard, and it's going to add some great new tools for HTTP development everywhere.

What does that mean, why do we need a new...

Remove unnecessary mismatched trailers check
🥳 Yay, fetch is now global in Node.js v18! 😕 Node's fetch still has subtle bugs and incompatibilities with node-fe… https://twitter.com/i/web/status/1522539974943518720
I strongly suspect this is the future, and you can see the same happening even in Node.js, even where it already ha… https://twitter.com/i/web/status/1522196341715316736
Just published the very first release of MockRTC - a mock peer & MitM proxy for WebRTC. MockRTC lets you write aut… https://twitter.com/i/web/status/1522190243507617792
Improve null pointer checks for tracks & channels
> The WebSocket API is an HTTP 1.1 standard > WebSockets is ... an outdated and unmaintained protocol Oh dear oh… https://twitter.com/i/web/status/1521816296010223622
I'm not sure exactly why this would happen, but I'm sure it means you're doing something very very wrong in your da… https://twitter.com/i/web/status/1521146366206132224

You need to wait until the server is actually started before running your test, by waiting for the promises returned by mockServer.start() (and by .stop()).

You can either make your beforeEach & afterEach functions async and then await those lines, or you can just add return to return the promise so that Mocha waits for them automatically.

Don't say government funding never solves real issues - the work for my @NgiPointer @DigitalEU grant just lead to m… https://twitter.com/i/web/status/1519986799799582720
Ooooh interesting, the EU has just launched its own Mastodon server, hosting accounts just for the official EU digi… https://twitter.com/i/web/status/1519682606924771329
In many languages with modern package manages (npm, cargo) it's usually sensible to commit dependency lockfiles in… https://twitter.com/i/web/status/1519621185411031041
https://a.gup.pe/ is a great example of the magic of open protocols (and of the Fediverse specifically). It'… https://twitter.com/i/web/status/1519024296512925701
The great Twitpocalypse makes today a great day to go visit @joinmastodon! I'm https://toot.cafe/@pimterry, come say hi.

No, it's not possible.

As of right now, AFAIK there are no HTTP debugging proxies that support HTTP/3. For Fiddler specifically, they only shipped HTTP/2 support a few months ago (Jan 2022, 7 years after HTTP/2 was standardized) and only in Fiddler Everywhere. There's no mention of any timeline for shipping it in Fiddler Classic I can see, maybe ne...

This is due to limitations in recent versions of Android. On unrooted devices, it is impossible to install system certificates.

You can still intercept HTTPS traffic using just user certificates, but you will only be able to intercept apps that opt into this by explicitly trusting user certificates. Most apps don't do this, so this is useful for de...

On recent Android versions, it's no longer possible to install system certificates, and installing user certificates is much harder. It's not possible to just open the file normally to install it, and apps can't show you any prompts to trigger installation either.

For more details on the change and how this works, see https://httptoolkit.tech/blog/...

This in fact shouldn't happen, and it doesn't happen in Firefox.

It turns out this is a bug in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1315611

I have two peers both sending video over WebRTC. The peers use perfect negotiation in parallel, which means in some cases one peer may make an offer, and then throw it away and use the other peer's offer instead. For some reason when this happens, once the connection opens for real and this peer receives a media track, the track is already immediat...

I'm the developer of HTTP Toolkit. The feature you're looking for does not exist yet.

That blog post is just a proposal and an announcement of funding, and the screenshot is only an example mockup of the future UI.

This will be available within the new few months (keep an eye on that blog and the mailing list for updates) but it's not available tod...

If you're interested in this being easier, star the Google issue here: issuetracker.google.com/issues/168169729?pli=1
RFC 9225: Software Defects Considered Harmful https://www.rfc-editor.org/rfc/rfc9225.html
Very nice! Thank you. I'd still be interested if anybody has a shorter script or one that doesn't need a temporary file, but this will definitely work.

For some internal script distribution, I want to be able to give users a single command they can paste into a Windows cmd window that will run a batch script from a URL.

In bash, the equivalent would be eval "$(curl -sS https://example.com/my-script)" or curl https://example.com/my-script | bash (but really I do need something more like t...

What's the modern etiquette for node polyfills in universal/isomorphic JS libs? Should libs which depend on built-… https://twitter.com/i/web/status/1507419491671621637
Fascinating how culture affects software. Case in point I've been hitting recently: monolingual software configura… https://twitter.com/i/web/status/1506990496970948611