Add http-mitm-proxy for HTTPS interception #37
Conversation
- Install http-mitm-proxy package - Add test script demonstrating header injection - Auto-generates certs per domain on first connect - Works with curl, Python, Node when CA is trusted To use system-wide: cp .http-mitm-proxy/certs/ca.pem /usr/local/share/ca-certificates/mitm.crt update-ca-certificates export https_proxy=http://localhost:8080
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "@opentui/core": "^0.1.55", | ||
| "@opentui/react": "^0.1.55", | ||
| "effect": "^3.19.8", | ||
| "http-mitm-proxy": "^1.1.0", |
There was a problem hiding this comment.
Test dependency added to production dependencies
Medium Severity
The http-mitm-proxy package is added to dependencies rather than devDependencies. Based on the PR description stating this is a "test script demonstrating header injection," this appears to be development/testing tooling. A Man-in-the-Middle proxy for HTTPS interception is a security-sensitive tool that typically should not be bundled with production builds. The accompanying test-mitm-proxy.ts script at root level further suggests this is test infrastructure.
- test/mitm-proxy.ts: Main proxy with header injection and response modification - test/mitm-proxy-mkcert.ts: Variant using mkcert for Go-compatible certs - test/mitm-proxy.test.ts: Vitest tests covering curl, wget, Python, Node - test/mitm-scripts/: Individual test scripts for each client - docs/MITM-PROXY.md: Setup documentation Key features: - Uses Proxy.gunzip for automatic gzip/deflate decompression - Injects X-Proxy-Injected header on outgoing requests - Appends marker to text responses (html/json/plain) - Auto-generates certs per domain Client compatibility tested: - curl, wget, Python urllib, Node undici: ✅ - npm: ✅ (needs explicit config) - Go/gh:⚠️ (cert serial number issues with node-forge)
| export const RESPONSE_MARKER = "\n<!-- MITM_PROXY_MARKER -->" | ||
|
|
||
| const MKCERT_CAROOT = process.env.MKCERT_CAROOT || "/home/user/mini-agent/.mkcert-ca" | ||
| const CERTS_DIR = "/home/user/mini-agent/.mitm-mkcert-certs" |
There was a problem hiding this comment.
Hardcoded absolute paths will break other environments
Medium Severity
The MKCERT_CAROOT fallback and CERTS_DIR constants use hardcoded absolute paths (/home/user/mini-agent/...) that are specific to one developer's machine. Unlike test/mitm-proxy.ts which correctly uses process.cwd() for its caPath, these paths will fail for other developers and CI environments. CERTS_DIR has no environment variable override at all.
| export https_proxy=http://localhost:8080 | ||
| curl --cacert .http-mitm-proxy/certs/ca.pem https://httpbin.org/headers |
There was a problem hiding this comment.
Why do we need the --cacert? Check that it works without, too! Because we trust the signing cert at a system level no?
| | **wget** | ✅ | `--ca-certificate=path/to/ca.pem` | | ||
| | **Python urllib** | ✅ | `ssl.load_verify_locations(ca_path)` | | ||
| | **Node.js/Bun** | ✅ | `NODE_EXTRA_CA_CERTS=path/to/ca.pem` | | ||
| | **npm** | ✅ | Requires explicit config (see below) | |
There was a problem hiding this comment.
Try pnpm and bun and pip and go get and try cloning a git repo via https or git push via https
Moar testing!!!!
| wget --ca-certificate=.http-mitm-proxy/certs/ca.pem https://example.com | ||
| ``` | ||
|
|
||
| ### Python |
There was a problem hiding this comment.
Add other popular ways to make http requests from python
| curl --cacert .http-mitm-proxy/certs/ca.pem https://httpbin.org/headers | ||
| ``` | ||
|
|
||
| ## Client Compatibility |
There was a problem hiding this comment.
Add deno and rust and apt-get and 3 other popular things you can think of
To use system-wide:
cp .http-mitm-proxy/certs/ca.pem /usr/local/share/ca-certificates/mitm.crt
update-ca-certificates
export https_proxy=http://localhost:8080
Note
Adds a developer MITM proxy for HTTPS interception with header injection, response body modification, and traffic logging.
test/mitm-proxy.ts(usesProxy.gunzip) andtest/mitm-proxy-mkcert.ts(mkcert-based certs for Go compatibility) with per-host cert generationtest/mitm-proxy.test.tsand helper scripts (test/mitm-scripts/*) validating header injection and response modification usingundiciProxyAgentdocs/MITM-PROXY.mdwith setup, client configuration (curl/wget/Python/Node/npm), system trust, and Go caveatshttp-mitm-proxyandundici; update.gitignoreto ignore.http-mitm-proxy/,.mkcert-ca/,.mitm-mkcert-certs/Written by Cursor Bugbot for commit e09e0d3. This will update automatically on new commits. Configure here.