When everything goes smoothly with an API, life is pretty straightforward: you request a resource, and voilà, you get it. You trigger a procedure, and the API politely informs you it’s all gone to plan. But what happens when something goes pear-shaped? Well, that’s where things can get a bit tricky. HTTP Status Codes HTTP status codes are like a first aid kit: they’re handy, but they won’t fix everything. They give you a broad idea of what’s gone wrong, which can help plenty of too...| HTTP Toolkit
The Open Source Pledge is a new push to make companies commit to funding the maintainers of the open-source software they depend on, and to publicly recognize the ones that do. HTTP Toolkit has donated back to maintainers for a few years now, but joining the Open Source Pledge today means formally committing to that, and to doing so publicly with a sustainable minimum level ($2000 per full-time developer, or higher) indefinitely into the future. What is the Open Source Pledge? HTTP Toolkit (a...| HTTP Toolkit
As of February 14th 2024, RFC 9512 formally registers application/yaml as the media type for all YAML content, and adds +yaml as a standard structured suffix for all YAML-based more specific media types. With this registration, it's now included in the official media types list maintained by the IANA. Media types like this (also known as the MIME types, from their original invention for email attachment metadata) are heavily used particularly in HTTP Content-Type headers for both requests & r...| HTTP Toolkit
Idempotency is when doing an operation multiple times is guaranteed to have the same effect as doing it just once. When working with APIs this is exceptionally helpful on slow or unreliable internet connections, or when dealing with particularly sensitive actions such as payments, because it makes retrying operations safe and reliable. This is why most payment gateways like Stripe and Adyen support 'idempotency keys' as a key feature of their APIs. Recently, the IETF have gone further, and cr...| HTTP Toolkit
Everything crashes. Sometimes things crash when they're running inside a Docker container though, and then all of a sudden it can get much more difficult to work out why, or what the hell to do next. Docker's great, but it's an extra layer of complexity that means you can't always easily poke your app up close any more, and that can really hinder debugging when your container fails to start or breaks in unusual ways. If you're stuck in that situation, here are my goto debugging commands to he...| HTTP Toolkit
A couple of weeks ago I published a post about changes in Android 14 that fundamentally break existing approaches to installing system-level CA certificates, even with root access. This has triggered some fascinating discussion! I highly recommend a skim through the debate on Mastodon and Hacker News. Since that was posted, quite a few people have talked to me about possible solutions, going beyond the previous approaches with new mechanisms that make it practical to do this in Android 14+, a...| HTTP Toolkit
Update: This post sparked a lot of excellent discussion and debate on workarounds, and there are now multple working solutions to allow certificate injection on Android 14, despite the restrictions discussed here. See the update post for more details. --- When Android was initially announced in 2007 by the Open Handset Alliance (headed by Google) their flagship project was billed as an "open platform", "providing developers a new level of openness", and giving them "complete access to handset...| HTTP Toolkit
This week, at long last, GitHub announced granular access tokens for npm. This is a big deal! It's great for security generally, but also particularly useful if you maintain any npm packages, as it removes the main downside of automating npm publishing, by allowing you to give CI jobs only a very limited token instead of full 2FA-free access to your account. In the past, I've wished for this, because I maintain a fair few npm packages including some very widely used ones. The previous solutio...| HTTP Toolkit
As you mayhaveseen, Docker Hub made a dramatic shift in policy this week, and effectively gave a 30 day eviction notice to almost all community-run images. They've now made an apology to 'clarify' a few details, and helpfully take some of the hard edges off, but this still highlights a big problem. Fortunately, there are solutions. As initially described, this would've been catastrophic: Docker Hub has been used as the default host in tooling, tutorials, demos, blog posts, scripts, deployment...| HTTP Toolkit
Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic. This doesn't appear in the main announcements anywhere, but buried deep in the enterprise release notes for Chrome v99 there's a small note that says: Certificate transparency is already enforc...| HTTP Toolkit
Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request. This is bad! This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodet...| HTTP Toolkit
It's hard to work on APIs without hearing about OpenAPI. OpenAPI is an API description format, which is essentially metadata that describes…| httptoolkit.com
There's been a lot of concern recently about the Web Environment Integrity proposal, developed by a selection of authors from Google, and apparently being...| httptoolkit.com
Caching is hard. Unfortunately though, caching is quite important. Hosted caching & CDNs offer incredible powers that can provide amazing…| httptoolkit.com
HTTP Toolkit has been selected to receive another round of open-source funding from the EU! This aims to improve interception of HTTPS…| httptoolkit.com
HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to…| httptoolkit.com
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and…| httptoolkit.com
WebRTC allows two users on the web to communicate directly, sending real-time streams of video, audio & data peer-to-peer, from within a…| httptoolkit.com
The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small…| httptoolkit.com
I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that…| httptoolkit.com
If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching…| httptoolkit.com
Through the Next Generation Internet (NGI) initiative, HTTP Toolkit has been selected for funding from the EU's Horizon research…| httptoolkit.com
Today Node.js announced and released a security fix for CVE-2021-22939, along with two other high severity issues. They've rated this…| httptoolkit.com
There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5). I don't want to rehash the basics of that, but I…| httptoolkit.com
Once upon a time, loading common scripts & styles from a public CDN like cdnjs or Google's Hosted Libraries was a 'best practice' - a great…| httptoolkit.com
Some Android apps go to astounding lengths to ensure that even the owner of a device can never see the content of the app's HTTPS requests…| httptoolkit.com
HTTP content encoding is an incredibly powerful tool that can save you huge amounts of bandwidth and make your web or mobile application…| httptoolkit.com
HTTP(S) is the glue that binds together modern architectures, passing requests between microservices and connecting web & mobile apps alike…| httptoolkit.com
Traditionally, a TCP port has a single server listening for incoming connections, and that server expects you to send messages in the right…| httptoolkit.com
CORS can be complicated. If you're struggling with it, you might discover the concept of a 'CORS proxy' that promises to solve this, like…| httptoolkit.com
HTTP is used by almost all Android apps to request data, load content, and send changes to backend servers. If you can see and edit these…| httptoolkit.com
Java and the JVM more generally are widely used for services everywhere, but often challenging to debug and manually test, particularly in…| httptoolkit.com
HTTP is fundamental to modern development, from frontend to backend to mobile. But like any widespread mature standard, it's got some funky…| httptoolkit.com
CORS is a necessity for many APIs, but basic configurations can create a huge number of extra requests, slowing down every browser API…| httptoolkit.com
DNS is one of those invisible technologies that you use every day, but which works so well that you can conveniently ignore it. That is…| httptoolkit.com
Wouldn't it be neat if you could take any HTTP request URL, and immediately find the matching API documentation, along with a detailed…| httptoolkit.com
All things come to an end, even HTTP APIs. However great your API may be today, one day you'll want to release a completely new version, an…| httptoolkit.com
If you use the command-line all day, CLI improvements can add a huge boost to your workflow. One of the simplest ways to improve things is…| httptoolkit.com
When an API request doesn't work, hopefully the client receives a sensible HTTP error status, like 409 or 500, which is a good start…| httptoolkit.com
To intercept, inspect or manipulate HTTPS traffic, you need the HTTPS client to trust you. If you want to intercept your own HTTPS on…| httptoolkit.com
Travis has been the most popular place to build open-source code for a long time, but the world is moving on. GitHub Actions is modern…| httptoolkit.com
Your request is hitting an error due to CORS. Not all is lost! Most CORS errors are quick & easy to debug and fix, once you understand the…| httptoolkit.com
Your trusted Certificate Authorities (CAs) are the organizations that you trust to guarantee the signatures of your encrypted traffic and…| httptoolkit.com
The fundamentals of GraphQL are remarkably simple. Nonetheless, a busy hype train & rocket-speed ecosystem means that building a GraphQL API…| httptoolkit.com
Can you build an Android app that can inspect & rewrite the network traffic from every other app on the device? In turns out that, yes, you…| httptoolkit.com
Oh no, your JavaScript code isn't just throwing an exception or crashing: it's segfaulting. What does that mean, and how can you fix it? You…| httptoolkit.com
Semantically, what changed in HTTP/2? Multiplexed connections, binary frames, header compression - all the headline changes are syntactic…| httptoolkit.com
TypeScript 4 is coming up fast: a first beta release is planned for this week (June 25th), with the final release aiming for mid-August. It…| httptoolkit.com
Ever heard of ? It's a draft W3C web security standard, defining an HTTP header and iframe attribute that sets limits on the browser…| httptoolkit.com
In the coming months, browsers are going to start killing the HTTP header to replace it with user-agent client hints, a set of opt-in…| httptoolkit.com
There's a lot that can go wrong when talking to servers on the web. When you're building and running a web service, keeping an eye on errors…| httptoolkit.com
Does the rise of serverless mean we need a new HTTP status code? The team at Oracle think so. They've submitted a draft specification to the…| httptoolkit.com
Chrome 79 brings some important changes in its CORS implementation, rolling out now, which mean that CORS preflight OPTIONS requests will no…| httptoolkit.com
Certificate infrastructure is built on trust. If you trust the wrong thing, it all falls down. Unfortunately, we developers do it all the…| httptoolkit.com
HTTP Toolkit is a bootstrapped commercial open-source project. It takes work from me, and it needs to make money to survive, but it's also…| httptoolkit.com
Debugging is an important skill for any developer. Arguably the most important skill, if you consider debugging in the general sense…| httptoolkit.com
Naming a price for your latest magnum opus is one of the hardest decisions in releasing a product. In theory you price on the value you're…| httptoolkit.com
The TypeScript 3.7 release is coming soon, and it's going to be a big one. The target release date is November 5th, and there's some…| httptoolkit.com
Node.js runs on an event loop. It holds a queue of tasks to run, and runs them, one by one. New tasks appear on the queue while it runs…| httptoolkit.com
In the next release of macOS (10.15), if your app isn't notarized, your users can't run it. If you're distributing Mac apps, you need to…| httptoolkit.com
HTTP Toolkit is a suite of open-source & cross-platform tools for developing, debugging & testing anything using HTTP. It lets you intercept…| httptoolkit.com
As a JavaScript developer nowadays, almost everything you use comes from npm. Unfortunately, not absolutely everything: there's still a…| httptoolkit.com
Netlify functions are a quick, easy & powerful tool, but like most serverless platforms, they can be even more difficult to debug & monitor…| httptoolkit.com
Debug HTTP(S) from git, npm, apt-get, or any other CLI tool. The command line is powerful, but can be hard to understand, and extremely hard…| httptoolkit.com
Nothing is ever finished or perfect, and HTTP is no exception. HTTP QUERY is a new HTTP method, for safe requests that include a request…| httptoolkit.com