Most HTTP vulnerabilities don’t come from sophisticated attacks. They come from misunderstanding where your framework stops protecting you. This covers the edge cases that actually bite production APIs: Range headers, path traversal, encoding conflicts, and request smuggling

Because I want to get into the habit of

httptap is a process-scoped http tracer that you can run without root priveleges. You can run httptap <command> where <command> is a linux program and you get a trace of http/https requests and responses in standard output.

It works by running <command> in an isolated network namespace. It has its own TCP/IP stack (for which it uses gVisor). It is not an HTTP proxy and so does not rely on <command> being configured to use an HTTP proxy. It decrypts TLS traffic by generating a CA on the fly. It won’t install any iptables rules or make other global system changes.

A free bulk domain (who is) checker tool for checking domain availability based on WHOIS lookups.

Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go

A simple single binary file server, good for sharing things fast and quick

Convert curl to Python, JavaScript and more

convert from curl to a bunch of other formats

Quickly and easily assess the security of your HTTP response headers

“Support for QUIC and HTTP/3 protocols is available since 1.25.0”

Debian 12 is still on nginx 1.22.1 so this’ll have to wait for me 🤷🏻‍♀️