mitmproxy — The Interactive HTTPS Proxy for Debugging and Reverse Engineering
mitmproxy is a free, open-source interactive HTTP/HTTPS/HTTP2/WebSocket proxy for developers, researchers, and security professionals. Inspect, modify, replay, and replay traffic on the fly — from the terminal, a web UI, or Python scripts.
%20by%20%E2%80%9ELisa%20Wischofsky%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22980%22%20height%3D%22980%22%20rx%3D%22490%22%20ry%3D%22490%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22980%22%20height%3D%22980%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(145%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23FFD7BA%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23FEF3E2%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3Cpath%20fill-rule%3D%22evenodd%22%20clip-rule%3D%22evenodd%22%20d%3D%22M421%20119c11%206%2021%2013%2028%2023%2010%2011%2017%2023%2019%2038%202%2013%200%2027-5%2039%2016-6%2034-9%2051-10%2035-1%2070%205%20102%2017%2026%2010%2049%2025%2066%2048%2011%2013%2017%2029%2021%2046%201%207%202%2015%201%2022l-1%207c0%203%200%207-2%2010-4%2013-15%2023-27%2027-3%201-7%202-10%200-2-1-2-4-3-6l-1-2-9-23-10-34-3-11-10-1a441%20441%200%200%201-21-1c-3%200-5-2-8-4l-9-7-3-2-5%2012c-3%202-6%202-9%201l-17-4c-27-4-54-5-81-3a633%20633%200%200%200-75%208%20615%20615%200%200%200-19-6l1%209%202%2018c-1%204-1%207-3%2010l-7%2014-14%2028c-7%2017-12%2034-16%2052-1%203-2%205-4%206a74%2074%200%200%201-12%202c5%209%205%2019%205%2029-1%2012-2%2026-9%2037%208%2010%2010%2023%2011%2036%200%2018-1%2035-8%2052-2%204-5%209-9%2011h-5l-2-10-1-5c-2-14-9-28-20-38%207%2025%2018%2049%2032%2072%2010%2018%2021%2034%2033%2051l5%208%204%205%2011%2016%202%204%204%206c0%205-5%2010-9%2012-3%200-7-2-10-4l-7-6a67%2067%200%200%201-7-4l-6-3c-6-2-12-1-18%201-7%202-13%206-18%2010h-2c-6%205-11%2011-15%2019-1%202-3%202-4%200-4-3-3-9-2-14%203-7%208-14%2013-20%207-7%2017-11%2026-14-35-34-59-79-74-125a393%20393%200%200%201-20-138v-5c2-21%205-42%2012-63l6-17%204-8c-12-2-24-9-31-19s-10-22-9-34a148%20148%200%200%201%2055-99c15-21%2035-38%2059-49%2019-9%2041-13%2062-10a73%2073%200%200%201%2061%2064l1%208a215%20215%200%200%200%201%205c1-6%202-13%201-19-2-12-8-22-15-32-10-12-20-22-33-30-5-4-12-6-18-8l-6-2%205-2c14-2%2027%202%2038%209Zm136%20108c31%203%2062%2013%2088%2030a111%20111%200%200%201%2044%2051c-8-10-16-20-26-29a196%20196%200%200%200-58-35c-15-7-32-13-48-17Zm-318%2021c-6%2013-12%2028-12%2042%200%2011%206%2022%2015%2028l13%207%203-6a78%2078%200%200%201-19-40c-2-10-1-21%200-31Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M495%20234c28%201%2056%206%2084%2015a201%20201%200%200%201%20100%2065c19%2025%2031%2055%2035%2086a361%20361%200%200%201%202%20101l-5%2034-4%2020c-1%202-1%202-3%202-2-4-2-8-2-12-1-15%201-29%202-44%201-24%203-48%201-72l-6-45c-7-28-20-54-40-75-18-18-40-33-63-43-22-9-44-15-67-19-18-3-36-4-54-4a277%20277%200%200%200-128%2029c-13%209-25%2020-35%2032a276%20276%200%200%200-55%20139c-1%2024%200%2047%208%2070l7%2015%2012%201%201%203c-3%202-7%202-11%203-10%202-20%206-29%2012-7%205-14%2011-18%2019-5%2010-3%2022-1%2033%205%2019%2017%2037%2033%2049%2011%209%2025%2014%2039%2016%2010%202%2020%200%2030-1%205%204%208%2012%2011%2017l18%2027a136%20136%200%200%200%2066%2050c22%209%2045%2014%2068%2019l41%208%2017%205v4h-12a535%20535%200%200%201-67-8%20255%20255%200%200%201-84-33c-11-7-21-16-29-27a214%20214%200%200%201-16%20123c-15%2027-40%2048-70%2057-3%201-7%202-10%201-2%200-2-1-2-3%201-3%204-5%206-6%2012-8%2026-14%2038-23%2013-11%2024-23%2031-38%206-15%2010-32%2012-49%202-13%203-26%202-40l-4-38-18-36-19%204a88%2088%200%200%201-75-38%2093%2093%200%200%201-20-58c0-9%203-18%208-25s12-13%2019-17c5-4%2012-6%2018-8l-9-24c-5-22-5-45-2-67a292%20292%200%200%201%2063-149c9-10%2018-19%2029-26%207-4%2014-5%2020-9%2043-19%2090-25%20137-22Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M475%20243a276%20276%200%200%201%20121%2023c23%2010%2045%2025%2063%2043%2020%2021%2033%2047%2040%2075l6%2045c2%2024%200%2048-1%2072-1%2015-3%2029-2%2044%200%204%200%208%202%2012l-1%2020c-2%205-2%2010-2%2016-2%2024-2%2049-6%2074-1%2012-3%2025-8%2036-3%209-8%2017-15%2024-12%2013-27%2024-43%2033-19%2011-39%2016-58%2024-5%202-10%204-13%208%208%201%2015%200%2023-2-5%2012-6%2024-6%2036%200%205-1%2011%201%2016%203%205%208%209%2013%2012l35%2013c22%208%2043%2018%2065%2027%202%204%205%207%206%2012%206%2011%207%2023%203%2035-5%2013-15%2024-27%2031-16%2011-36%2019-55%2024a494%20494%200%200%201-235-7c-20-7-40-14-58-24-14-8-29-18-40-31-6-8-11-19-12-29a122%20122%200%200%200%2086-107c4-24%204-49%200-73%208%2011%2018%2020%2029%2027l27%2014a331%20331%200%200%200%20124%2027h12v-4l-17-5-41-8c-23-5-46-10-68-19-13-6-27-13-39-21-10-9-19-18-27-29l-18-27c-3-5-6-13-11-17-10%201-20%203-30%201-14-2-28-7-39-16a94%2094%200%200%201-33-49c-2-11-4-23%201-33%204-8%2011-14%2018-19%209-6%2019-10%2029-12%204-1%208-1%2011-3l-1-3-12-1-7-15c-8-23-9-46-7-70a276%20276%200%200%201%2054-139c10-12%2022-23%2035-32a277%20277%200%200%201%20128-30Z%22%20fill%3D%22%23ffffff%22%2F%3E%3Cpath%20d%3D%22M260%20571c4%200%207%200%2011%202%205%201%2011%204%2014%208%202%203%202%207%200%2010-5%206-12%2010-16%2016%206%204%2014%206%2021%209%204%201%208%203%2011%206l1%203-8-2-24-7c-4-1-8-3-9-7-1-3%201-7%203-10l15-13c-4-7-15-8-19-15ZM703%20577l2%203%202%2016a483%20483%200%200%201-2%2089c-2%2011-5%2023-10%2033a198%20198%200%200%201-106%2071c-1%2014-3%2031-2%2047l5%205c8%206%2018%209%2027%2012a451%20451%200%200%201%2068%2028c7%204%2013%209%2018%2015-5%201-10-1-16-2-22-9-43-19-65-27l-35-13c-5-3-10-7-13-12-2-5-1-11-1-16%200-12%201-24%206-36-8%202-15%203-23%202%203-4%208-6%2013-8%2019-8%2039-13%2058-24%2016-9%2031-20%2043-33%207-7%2012-15%2015-24%205-11%207-24%208-36%204-25%204-50%206-74%200-6%200-11%202-16Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M668%20488c8%200%2016%204%2022%2010%202%203%205%208%204%2012%200%203-4%205-4%208-2%208-9%2014-16%2018-4%202-11%202-14-2-3-3-3-8-4-12%200-8%203-17%206-24-4%200-8%202-11%205-11%206-19%2017-24%2028-2%203-3%208-6%2010-1%201-3%201-4-1v-9c4-13%2012-25%2022-34%209-6%2019-9%2029-9ZM444%20498c20-1%2043%202%2060%2013%209%205%2017%2013%2020%2023%202%204%200%207-2%2011-2%203-7%205-11%207-12%203-24%201-36-1-5-1-11-2-14-6-4-5-3-11-1-17%201-7%203-14%209-20h-23c-17%202-33%209-47%2020-2%202-5%204-8%203-5%200-8-5-7-9s4-6%207-8c16-10%2035-14%2053-16Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M494%20368c5%200%209%203%2011%207%208%208%2015%2018%2020%2028%202%205%204%2010%203%2015-1%202-2%204-4%203l-5-6c-4-8-10-15-16-22%200%204%201%2010-1%2013-1%204-4%206-8%206-5%200-10-4-14-7l-13-5c-2%201-4%203-6%202l-11-2-20-2-18%202c3-4%208-6%2013-8%2010-5%2021-5%2032-4%203%201%206-2%2010-1%2010%200%2017%204%2025%2010l-4-19c-1-4%201-9%206-10ZM637%20383c3%201%205%202%205%205%200%204-3%208-5%2013%204-2%207-5%2011-5%203%201%204%203%206%206%205-2%2012-4%2018-2%203%201%204%203%205%205-3%203-6%205-10%206-5%202-11%204-16%204-3%200-5-2-7-3l-10%206c-3%200-6-1-7-4l-1-8-8%2015-4%206c-2%200-3%200-4-2-2-3%201-8%202-11%203-8%208-16%2014-23%203-3%206-7%2011-8Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M609%20602c1%209-4%2016-9%2023-4%203-9%206-15%206s-13-3-19-5c-4-2-8-3-11-6l5-4c9-1%2017%203%2025%204%204%200%207-3%209-6%205-5%209-10%2015-12Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20fill-rule%3D%22evenodd%22%20clip-rule%3D%22evenodd%22%20d%3D%22M622%20659c1-4-5-4-7-4-15%200-30%203-45%207a441%20441%200%200%200-84%2036c-6%203-11%207-15%2013l-2%204%205-1c5-5%2012-8%2018-12%200%207%200%2014%204%2020%203%206%209%2010%2015%2011%209%201%2019-3%2026-9%2011-8%2018-20%2024-32%203-6%203-11%203-17%2016-6%2033-9%2049-12h1c3%200%206-1%208-4Zm-84%2048c6-8%2011-18%2014-29l-27%2010c0%207-4%2014-7%2021l-1-6v-1l2-12-23%2010v1c2%206%204%2014%209%2018%204%205%2010%205%2016%203%207-3%2013-9%2017-15Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M508%20220a271%20271%200%200%201%2097%2024c14%207%2029%2014%2042%2023%208%205%2016%2011%2022%2018l22%2025c-9%204-18%203-27%202-17-2-34-4-51-3l-8-1-7-5-12-8c0%204-1%207-3%2011-2%202-4%203-7%203-4-1-7-3-11-3a470%20470%200%200%200-155%203h-11l-18-6c1%209%204%2018%203%2026-1%204-1%208-3%2011-7%2014-15%2027-21%2042-7%2017-13%2035-17%2053%200%202-1%204-3%205l-12%202c5%209%206%2020%205%2030-1%2012-3%2026-9%2036%207%209%2010%2021%2010%2033%201%2019%200%2037-7%2055-2%204-5%209-10%2011-1%201-4%201-4-1-2-4-2-9-3-13-2-15-9-29-20-40-8-7-17-14-26-19-6-2-11-4-16-8l-6-8c-12-32-16-67-12-101a285%20285%200%200%201%2037-113c10-16%2022-30%2035-43%2010-9%2020-17%2031-23l14-5%2032-11%2019-2h43c23%200%2044-2%2067%200Z%22%20fill%3D%22%23000000%22%2F%3E%3C%2Fg%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E){kind=small}
What it is
mitmproxy is a free, open-source interactive HTTP/HTTPS/HTTP2/WebSocket proxy. It sits between your device and the internet, decrypts HTTPS traffic (after CA certificate installation), and displays every request and response. You can inspect, modify, and replay traffic on the fly.
mitmproxy serves three audiences: mobile developers inspecting app traffic, QA teams simulating broken or slow networks, and security researchers reverse-engineering protocols. It ships with three interfaces: a terminal TUI (mitmproxy), a web dashboard (mitmweb), and a headless capture tool (mitmdump).
How it saves time or tokens
Without a proxy, debugging API calls requires adding logging to application code, rebuilding, and redeploying. mitmproxy lets you see real traffic instantly without code changes. The Python scripting API means you can write custom interceptors -- blocking certain requests, injecting headers, or modifying response bodies -- in a few lines. For AI development workflows, this is particularly useful when debugging LLM API calls to see exact token usage and response timing.
How to use
- Install mitmproxy:
brew install mitmproxy(macOS) orpip install mitmproxy. - Launch the proxy: run
mitmproxyfor terminal UI,mitmwebfor browser UI, ormitmdump -w traffic.mitmfor headless capture. - Configure your device or browser to use
127.0.0.1:8080as HTTP proxy. - Install the CA certificate by visiting
http://mitm.itwhile the proxy is running.
Example
# custom_script.py -- log all API calls to OpenAI
from mitmproxy import http
def response(flow: http.HTTPFlow):
if 'api.openai.com' in flow.request.pretty_host:
print(f'[OpenAI] {flow.request.method} {flow.request.path}')
print(f' Status: {flow.response.status_code}')
print(f' Size: {len(flow.response.content)} bytes')# Run with the script
mitmdump -s custom_script.pyRelated on TokRepo
- AI tools for security -- explore security and auditing tools curated on TokRepo.
- AI tools for testing -- find tools for API testing and quality assurance.
Common pitfalls
- HTTPS interception requires installing mitmproxy's CA certificate on the client device. Without it, you only see encrypted traffic. Certificate pinned apps will reject the proxy entirely.
- Some applications detect proxy usage and refuse connections. Mobile apps with certificate pinning need additional tools like Frida to bypass.
- Running mitmproxy on a shared network without consent is illegal in most jurisdictions. Use it only on traffic you own or have permission to inspect.
Frequently Asked Questions
Yes. mitmproxy is free and open-source under the MIT license. There are no paid tiers or premium features. The full functionality including terminal UI, web UI, Python scripting, and all protocol support is included.
Yes, after you install its CA certificate on the client device. mitmproxy generates certificates on the fly, signed by its CA, to decrypt and re-encrypt HTTPS traffic. Visit http://mitm.it while the proxy is running to install the certificate.
mitmproxy is the terminal-based interactive UI. mitmweb provides a browser-based web interface. mitmdump is a headless tool for scripted capture and replay. All three share the same proxy engine and support the same Python scripting API.
Yes. Configure the mobile device to use your computer as HTTP proxy, install the mitmproxy CA certificate on the device, and all HTTP/HTTPS traffic flows through mitmproxy for inspection. This works for both iOS and Android.
Yes. mitmproxy can intercept, display, and modify WebSocket messages. Both the terminal UI and web UI show WebSocket frames alongside HTTP traffic in the same session.
Citations (3)
- mitmproxy GitHub— mitmproxy is a free interactive HTTPS proxy with terminal UI, web UI, and Python…
- mitmproxy Documentation— mitmproxy supports HTTP/HTTPS/HTTP2/WebSocket interception
- mitmproxy Concepts— CA certificate installation via mitm.it for HTTPS decryption
Related on TokRepo
Discussion
Related Assets
NAPI-RS — Build Node.js Native Addons in Rust
Write high-performance Node.js native modules in Rust with automatic TypeScript type generation and cross-platform prebuilt binaries.
Mamba — Fast Cross-Platform Package Manager
A drop-in conda replacement written in C++ that resolves environments in seconds instead of minutes.
Plasmo — The Browser Extension Framework
Build, test, and publish browser extensions for Chrome, Firefox, and Edge using React or Vue with hot-reload and automatic manifest generation.