HTTP

Caddy is great. HTTPie & HTTP Toolkit are useful. HTTP Docs has nice overview.

Status code summary (as cats):

1xx: hold on
2xx: here you go
3xx: go away
4xx: you fucked up
5xx: I fucked up

kawipiko is neat static HTTP server.

Notes

• HTTP return codes cheat sheet: 1 Hold on 2 Here you go 3 Go away 4 You fucked up 5** I fucked up
• jo | curl --json | jq is great.

Links

• Know your HTTP well
• HTTP/3 explained - Document describing the HTTP/3 and QUIC protocols. (Code) (Presentation)
• The modern Web - Good explanation of web networking.
• WireMock - Tool for mocking HTTP services.
• Apache HTTP Server (Web) (HN)
• llhttp - Port of http_parser to llparse.
• Proxyman - Modern and intuitive HTTP Debugging Proxy for macOS & iOS. (Web)
• see - Static web server, developed using rust.
• HTTP 203 podcast
• HTTP Cats (HN)
• HTTP Security Headers - A Complete Guide (2019) (HN)
• serve-dir - "python -m SimpleHTTPServer" but FAST.
• Yaws web server - HTTP high performance 1.1 webserver particularly well suited for dynamic-content web applications.
• Vulcain - Use HTTP/2 Server Push to create fast and idiomatic client-driven REST APIs.
• nghttp2 - Implementation of the Hypertext Transfer Protocol version 2 in C.
• h2spec - Conformance testing tool for HTTP/2 implementation.
• HTTP Made Really Easy - Practical Guide to Writing Clients and Servers.
• Mini HTTP guide for developers (2020) - Glance behind the curtain: it can affect engineering decisions.
• How HTTPS works in a comic (HN)
• HTTP Caching (2018) - Everything you need to know about web caching.
• The Status of HTTP/3 (2020) (HN)
• Cassowary - Modern cross-platform HTTP load-testing tool written in Go.
• TwitterServer - Defines a template from which services at Twitter are built.
• curl HTTP cheat sheet
• Big list of HTTP static server one-liners (HN) (HN)
• miniserve - CLI tool to serve files and dirs over HTTP. (Tweet)
• wrk - Modern HTTP benchmarking tool.
• PollyJS - Record, replay, and stub HTTP interactions. (Code)
• Broxy - HTTP/HTTPS intercept proxy written in Go.
• Smokescreen - Simple HTTP proxy that fogs over naughty URLs.
• HTTPie - CLI, cURL-like tool for humans.
• http - Host These Things Please - a basic http server for hosting a folder fast and simply.
• httpmole - Provides a HTTP mock server that will act as a mole among your services, telling you everything http clients send to it and responding them whatever you want it to respond.
• oha - Tiny program that sends some load to a web application.
• James - HTTP Proxy and Monitor that enables developers to view and intercept requests made from the browser.
• Let's Build A Web Server
• FF Proxy - Proxy server which enables you to fire and forget HTTP requests.
• Understanding Cross-Origin Resource Sharing (CORS) (2019)
• Comparing HTTP/3 vs. HTTP/2 Performance (2020) (HN)
• Webhook.site - Easily test HTTP webhooks with this handy tool that displays requests instantly.
• AutoCannon - Fast HTTP/1.1 benchmarking tool written in Node.js.
• Servor - Dependency free file server for single page app development.
• wuzz - Interactive cli tool for HTTP inspection.
• The HTTP headers you don't expect (2020) (Reddit) (HN)
• DOM4 - Fully tested and covered polyfill for new DOM Level 4 entries.
• How HTTP Requests Work (2020)
• templar - HTTP proxy to improve usage of HTTP APIs.
• sirv - Optimized middleware & CLI application for serving static files.
• httpbin - HTTP Request & Response Service. (Code)
• srv - Minimalist http(s) server and file browser. (Lobsters)
• Pact Go - Golang version of Pact. Pact is a contract testing framework for HTTP APIs and non-HTTP asynchronous messaging systems.
• Tinyproxy - Light-weight HTTP/HTTPS proxy daemon for POSIX operating systems.
• HTTP in Swift (2020) - Building a Swift HTTP framework.
• Improving HTTP with structured header fields (2020)
• HTTP(S) benchmark tools, testing/debugging, & restAPI (RESTful)
• Cache-Control in the wild (2020)
• PatchGirl - Postman/postwoman like, web app to test your APIs. (Code)
• Will It CORS?
• HTTP Toolkit - Intercept, debug & mock HTTP. (Server Code) (UI Code) (HN)
• HTTP protocol and the web
• Critical Resources and the First 14 KB - A Review (2019)
• Алгоритмы быстрой обработки HTTP-строк (2020)
• What Is HTTP/3 - Lowdown on the Fast New UDP-Based Protocol (2020)
• HTTP/3: From root to tip (2019)
• Gist: HTTP
• RequestBin.com - Modern request bin to collect, inspect and debug HTTP requests and webhooks.
• wrk2 - Constant throughput, correct latency recording variant of wrk.
• Hetty - HTTP toolkit for security research.
• ali - Generate HTTP load and plot the results in real-time.
• cURL security anti-patterns (2020)
• nghttp3 - Implementation of HTTP/3 mapping over QUIC and QPACK in C.
• aria2 - Lightweight multi-protocol & multi-source, cross platform download utility operated in command-line.
• htcat - Parallel and Pipelined HTTP GET Utility.
• How HTTPS Works in Layman’s Terms – TLS 1.2 and 1.3 (2020)
• The Long Road to HTTP/3 (2020) (Lobsters) (HN)
• Arjun - HTTP parameter discovery suite.
• Scriproxy - Easy-to-use dynamic(scriptable) reverse proxy server.
• teler - Real-time HTTP Intrusion Detection.
• Writing a Fast HTTP Parser (2015) (Lobsters)
• HTTP/3 test servers (Web)
• Remix Run - Introduction to HTTP Caching (2020)
• HTTP explained in parts (2018)
• nuster - High-performance HTTP proxy cache server and RESTful NoSQL cache server based on HAProxy.
• bombardier - Fast cross-platform HTTP benchmarking tool written in Go.
• H20 - Optimized HTTP/1, HTTP/2, HTTP/3 server. (Web)
• Hoppscotch CLI - Send HTTP requests from terminal. An alternative to cURL, httpie.
• Locust - Scalable user load testing tool written in Python. (Web)
• k6 - Modern load testing tool, using Go and JavaScript. (Web) (Docs) (Docs Code)
• HTTP/2 Push is dead (2020) (HN) (Lobsters)
• serve-http - Simple single-file local web server.
• httprobe - Take a list of domains and probe for working http and https servers.
• Piping Server - Infinitely transfer between every device over HTTP/HTTPS.
• devserver - Simple HTTPS server for local development. Implemented in Rust. (Building devserver: An Ultra-Tiny Rust Server)
• Hurl - Run and test HTTP requests with plain text, curl and Rust. (Docs) (HN)
• GoReplay - Capture your existing users activity and re-use it for testing your application. With GoReplay you can perform shadowing, load testing, or detailed analysis and monitoring. (Web)
• ht - Yet another HTTPie clone in Rust. (HN)
• How to use HTTPS for local development (2021)
• HTTP Pipelining, S3, and gg (2021) (Lobsters)
• monsoon - Fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time.
• HTTPWTF (2021) (HN)
• httpit - Rapid http(s) benchmark tool written in Go.
• Serving a single file over HTTP with Rust and Go (2021)
• Unix Domain Sockets for Serving HTTP in Production (2021) (Lobsters)
• Where is HTTP/3 right now? (2021)
• darkhttpd - HTTP server in a single .c file. (HN)
• Reproxy - Simple edge server / reverse proxy. (Web)
• HTTP Prompt - Interactive command-line HTTP and API testing client built on top of HTTPie featuring autocomplete, syntax highlighting, and more. (Web)
• Security Headers - Analyze your HTTP response headers.
• esbuild-dev-server - Playground for esbuild, file watching, server-sent events, and HTTP servers.
• Trickster - HTTP reverse proxy/cache for http applications and a dashboard query accelerator for time series databases.
• GLORP - CLI-based HTTP intercept and replay proxy.
• low-http-server - HTTP server implementation for Node.js based on uWebSockets.js.
• HTTP/2: 5 things every Enterprise Architect needs to know (2021)
• CSRF, CORS, and HTTP Security headers Demystified (HN)
• Forwarding HTTP/S Proxy - Useful when one wants to have originating requests to a destination service from a set of well-known IPs.
• GoHFS - Minimal HTTP File Server for pentesting written in Go.
• Dolores - Local development HTTPS proxy server meant to simplify working with multi-domain applications by serving each application on separate domain under .localhost TLD.
• Rlay - Development tool that allows you to forward HTTP calls to your local machine through a server. (Article)
• Extreme HTTP Performance Tuning (2021) (HN)
• Conditional HTTP GET: The fastest requests need no response body (2021)
• ReWrk - More modern HTTP framework benchmark utility.
• Sozu - HTTP reverse proxy, configurable at runtime, fast and safe, built in Rust. (Web)
• Prestige - Text-based HTTP client in the browser. An interface-less Postman. (Web) (HN)
• Althttpd - Simple web server in a single C-code file by the author of SQLite. (HN)
• Modify HTTP request headers with Transform Rules (2021)
• HTTP Archive - Tracks how the web is built by periodically crawl the top sites on the web. (Twitter)
• Plow - High-performance HTTP benchmarking tool with real-time web UI and terminal displaying.
• Security headers quick reference (2021)
• Encoding data for POST requests (2021) (HN)
• Rate-limiting strategies and techniques
• HTTP Security Headers (2021)
• HTTP/2: The Sequel is Always Worse (2021) (HN) (Lobsters)
• VCR.py - Automatically mock your HTTP interactions to simplify and speed up testing.
• Hudsucker - Intercepting HTTP/S proxy.
• Cache-Control Recommendations (2021)
• cacheable-response - HTTP compliant route path middleware for serving cache response with invalidation support.
• Most important HTTP request headers
• HTTP: Learn your browser's language
• httpcat - Simple utility for constructing raw HTTP requests on the command line.
• parse-curl.js - Parse curl commands, returning an object representing the request.
• CORS Comic
• HTTPie and Print HTTP Request
• How to win at CORS (2021) (Code) (HN)
• Ddosify - High-performance load testing tool, written in Go. (Code)
• Ciao - HTTP checks & tests (private & public) monitoring - check the status of your URL. (Code)
• New HTTP standards for caching on the modern web (2021) (HN)
• An alternative approach to rate limiting (2017)
• Hedged http requests to reduce tail latency (2021)
• QuickServ - User-friendly web server. (HN)
• Pocket load tester - Scale curl requests, cousin of ab, siege, hey.
• How HTTP Keep-Alive can cause TCP race condition (2021)
• xh - Friendly and fast tool for sending HTTP requests.
• HTTP Server Online - Start a local HTTP server without any tools, just open a web page. (HN)
• Timing With Curl (2010) - Command I use often while measuring why an HTTP request is taking too long.
• duma - Minimal file downloader written in Rust.
• Varnish Cache - High-performance HTTP accelerator. (Docs)
• HTTP QUERY Method (2021)
• Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond (2021) (Tweet) (HN)
• httpd - Docker Official Image packaging for Apache HTTP Server.
• HTTP Message Signatures (2021) (HN)
• HTTP Extensions in progress (Code)
• Rusqbin - Web server that stashes your requests for later retrieval. It is available as a Docker image, a binary, and a library.
• New differential fuzzing tool reveals novel HTTP request smuggling techniques (2021) (HN)
• T-Reqs HTTP Fuzzer - Grammar-based HTTP Fuzzer.
• Updog - Replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth.
• Armor - Uncomplicated, modern HTTP server.
• Statically Prevent 404s - Gary Bernhardt (2021) (Tweet)
• Serve Folder - Serve a local folder of files in your browser for easy testing without having to run a server. (Code)
• Making your website "cross-origin isolated" using COOP and COEP (2020) (Tweet)
• Oblivious HTTP - System for the forwarding of encrypted HTTP messages.
• hpagent - Ready to use http and https agent for working with proxies that keeps connections alive.
• HTTP/3 Is Fast (2021) (HN)
• Goose - Load testing framework, inspired by Locust.
• SNI Proxy - Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.
• Ask HN: Intercepting HTTPS – How can we trust anything? (2021)
• HTTP Snippet - HTTP Request snippet generator for many languages & libraries.
• Using HTTP Basic Auth in 2022 (HN)
• dav-server-rs - Rust WebDAV server library.
• You don't need that CORS request (2021) (HN)
• Awesome WebDAV
• httptunnel - Bidirectional data stream tunnelled in HTTP requests.
• Should you use Let’s Encrypt for internal hostnames? (2022) (Lobsters)
• broadcast - Simple Go server that broadcasts any data/stream.
• Don’t mix URL parsers (2022) (Lobsters)
• serve - Simple and secure Go HTTP server to serve static sites or files from the command-line.
• simple-http-server - Simple HTTP server in Rust (Windows/Mac/Linux).
• Caching Header Best Practices (2022)
• Request bodies in GET requests (HN)
• Observing HTTP/2 Traffic Is Hard, but eBPF Can Help (2022) (HN)
• HTTPie - Human-friendly CLI HTTP client for the API era.
• HTTP/3: Everything you need to know about the next-generation web protocol (HN)
• Fortio - Load testing library, command line tool, advanced echo server and web UI in go.
• resto - CLI app can send pretty HTTP & API requests with TUI.
• shell2http - Executing shell commands via HTTP server.
• Ain - HTTP API client for the terminal.
• Breaking the Rules With Stateful Services (2022) (Lobsters)
• TypedWebhook.tools - Web hook testing tool for checking payloads, with automatic type generation. (Code)
• Smocker - Simple and efficient HTTP mock server and proxy. (Web)
• Braid: Synchronization for HTTP - Extension to HTTP that generalizes it from a state transfer to a state synchronization protocol. (Spec Code)
• Req - Opinionated HTTP scripting language. (Reddit) (HN)
• Requestly - Lightweight Proxy to Intercept & Modify HTTP(s) requests. (HN)
• Penguin - Dev server featuring live-reloading, a file server, proxy support, and more.
• curlconverter - Convert curl commands to code. (Code) (HN)
• httptest - Simple concurrent HTTP testing tool.
• Pact JS - JS version of Pact. Pact is a contract testing framework for HTTP APIs and non-HTTP asynchronous messaging systems.
• httpmirror - Single binary HTTP server that mirrors all request data (headers and body) in the response.
• warp-cors - Proxy server which enables CORS for the proxied request.
• GoQuiet - Shadowsocks obfuscation plugin utilising domain fronting to evade deep packet inspection.
• Decrypting your own HTTPS traffic with Wireshark (2022) (HN)
• whistle - HTTP, HTTP2, HTTPS, Websocket debugging proxy.
• Death by 1000 needles - Simple distributed load generation client written in Go. It is able to fetch simple json config from a local or remote location.
• APIX - Modern HTTP client for the command line.
• go-wrk - Modern HTTP benchmarking tool capable of generating significant load when run on a single multi-core CPU.
• Moclojer - Simple and efficient HTTP mock server with specification in yaml, edn or OpenAPI.
• What curl expects from dependencies (2022)
• TTFB - CLI + Lib to Measure the TTFB of HTTP/1.1 Requests.
• crs - HTTP Response Header Sorting and Filtering.
• SuperTest - Super-agent driven library for testing node.js HTTP servers using a fluent API.
• Idempotency-Key HTTP Header Field
• Deprecation HTTP Header Field
• The surprising complexity of interpreting X-Forwarded-For safely (2022)
• HTTP Feeds - Asynchronous event streaming and data replication with plain HTTP APIs. (Code) (HN)
• HTTP Script Executor - Simple HTTP server to execute scripts. Executing a script on a remote instance by issuing a HTTP request. This eliminates the need to configure SSH.
• Candy - Zero-config reverse proxy server. It makes proxying applications with local top-leveled domains as frictionless as possible.
• local-ssl-proxy - Simple SSL HTTP proxy using a self-signed certificate. Intended for local development only.
• Server Mockr - Mock HTTP APIs for rapid development and reliable testing.
• http-mirror-pipeline - Tool to mirror HTTP request for continuous testing and benchmarking, replayable logging.
• httpstat.us - Simple service for generating different HTTP codes.
• Tracking HTTP/2 Prioritization Issues - Tracks issues / notes for HTTP/2 prioritization across browsers, CDNs and servers.
• http_bench - Go HTTP stress test tool, support single and distributed.
• HTTP API Development Tools - Collection of useful resources for building RESTful HTTP+JSON APIs.
• Flash - Test service to mock slow server responses. (Code)
• http-cache-middleware - High performance connect-like HTTP cache middleware for Node.js. So your latency can decrease to single digit milliseconds.
• Keeping things fresh with stale-while-revalidate (2019)
• SimpleHTTPserver - Go alternative of python SimpleHTTPServer.
• go-curl - Curl TUI with Go as Postman replacement.
• mod_swift - Write Apache Modules in Swift. (Web)
• OpenWebhook - Store and replay webhooks. (Demo)
• A tale of a trailing dot (2022)
• curl-impersonate - Special compilation of curl that makes it impersonate real browsers.
• Duf - Simple file server. Support static serve, search, upload, delete.
• WaybackProxy - HTTP proxy for tunneling requests through the Internet Archive Wayback Machine.
• http-server - Simple and configurable command-line HTTP server.
• hit - Tool to make and manage HTTP requests. (Intro)
• A New Definition of HTTP (2022)
• HTTP/3 (HTTP-over-QUIC) RFC (HN) (Article) (Tweet)
• Boomer - Better load generator for locust, written in Go.
• waitehr - CLI program that waits for HTTP response and retries request until the expected response is received.
• A Cloudflare view of HTTP usage trends (2022)
• HTTP/3 Deep Dive (2020)
• HTTP Documentation - All the HTTP core specs + extensions, neatly filed on a single page.
• Yet More New HTTP Specs (2022)
• Verifiable Credentials HTTP API (Code)
• I've been abusing HTTP Status Codes in my APIs for years (2022) (HN)
• A study of HTTP/2's Server Push Performance Potential (2022)
• Cornichon - Scala DSL for testing HTTP JSON API.
• dlm - Minimal HTTP download manager.
• socks-proxy-agent - SOCKS proxy http.Agent implementation for HTTP and HTTPS.
• Supporting HTTP/2 in Apache NiFi (2022)
• kawipiko - Lightweight static HTTP server written in Go; focused on serving static content as fast and efficient as possible.
• Determining if an HTTP request was sent as beacon/keepalive (2022)
• curl with HTTP/3
• Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling (2022)
• HTTP/1 to HTTP/2 to HTTP/3 (2022)