
Show HN: Endpoints.dev – Pastebin for HTTP Requests - bozly
https://endpoints.dev
======
bozly
I've just released endpoints.dev - Use it to get a unique, private url that
will store & display all http requests made to it. Use your unique URL with
3rd party tools to see what requests they are making, without needing to spin
up a webserver. Or, use it for experimenting with XXS, phone-home, and other
http based pen-testing.

~~~
hnarn
Just out of curiosity, what's with all the freaky class names? Like class="sc-
jTzLTM ipDHfO", class="sc-jzJRlG hdyVuB" etc.

~~~
bozly
they are auto generated by `styled-components` - a great option for "css in
js" in the React ecosystem

------
alifaziz
Great project! There is also alternative site that I used before -
[https://webhook.site/](https://webhook.site/)

~~~
bozly
Thanks! webhook.site also looks great, I love their inclusion of an email
address... I might take some inspiration from them in my next iteration ;)

------
simonw
Feature request: give me a URL I can bookmark or share with team-mates for the
HTTP inspector bit. It looks at the moment like I get a random URL to send
requests to but I have to use the same browser to ensure that the
endpoints.dev homepage knows who I am so it can show me the traffic.

~~~
bozly
Great idea, having a perma-link as an alternative to the browser cookie would
be very nice - I'll add this to my list :)

I'm currently working on user accounts, which will eliminate the need to use
the same browser.

~~~
l1am0
Please do not require to login! The sharing via a second unique url would be
great for teams and I could use it right away. If I have to convince all my
colleges to login that would kill it for me :/

~~~
bozly
I understand the frustration of too many logins :)

If I do end up adding user accounts, it would only be to add extra
functionality (persistent URLs etc) - the existing functionality + potential
perma-link feature would all remain available without an account.

------
kovek
That's awesome! I like these. Yesterday I was looking for some website that
would send me EventSource/SSE Messages so tjat I could test what is going on
on Android...

Here's another server for testing HTTP:
[http://httpbin.org](http://httpbin.org)

------
tyingq
Is the unique endpoint "secure/random" enough? I imagine you would end up with
some amount of live session cookies, tokens, api keys, and so on, that would
have some value for people guessing uris.

Edit: Ahh, missed the JWT pairing. I read "Pastebin for" too literally.

~~~
bozly
This was definitely a concern... Each unique subdomain is checked for
collision before being assigned, so no two users will receive the same
endpoint. Additionally, it is assigned with a jwt, so even if someone was to
brute force an endpoint that has been assigned to someone else, they would not
be authorized to see the request data.

~~~
emiunet
If I knew somebody else's unique subdomain, I could set my browser cookie on
my local computer to that value and it seems to just load the other subdomain
just fine. I tested this with 2 different browser on my same laptop. Maybe it
won't work if the other person is on another computer?

I could also just set the subdomain to anything I like (by setting the cookie
value) and it still works just fine.

Ah no, I can still set the cookie to the other person's subdomain on another
machine.

Edit: add extra sentence.

Edit2: format.

~~~
bozly
Oh boy, that's an embarrassing bug!

Found the issue, and I'm working on fix now

Edit: bug squashed - this should no longer be an issue

------
dethos
Some time ago I built a similar tool, with the main difference being that it
doesn't store any data, so you need to have the webpage open to receive the
request info. Since I use it mostly to debug issues and quickly inspect
something of the fly, that works for me.

It is available here:
[https://github.com/dethos/webhook_logger](https://github.com/dethos/webhook_logger)

(You can quickly deploy it on your own server, if you don't trust a hosted
service).

------
tegiddrone
I like the simplicity! Some of the other options out there are pretty
elaborate and not straightforward to get started.

One thing I'm always looking for in these is the docker run one liner. Because
if I incorporate a tool into my work, how do I better ensure it's going to
stay around by either pragmatic paid plan or OSS self host?

~~~
bozly
Thanks, simplicity is definitely what I am aiming for!

Making this an OSS project is the direction I plan to take - just need to tidy
up the code a bit before making it public :)

The current implementation is serverless on AWS though, and most of the
"complexitly" is in the infrastructure, so as convenient as they are, I don't
think I'll aim to dockerize it.

------
user5994461
Could you extend the headers by default?

It's annoying to have to click a super small > every time to extend. That
doesn't look like a button and is too small to click by the way.

Is it running on HTTP/2? It's converting all headers to lowercase. Might be a
side effect or HTTP/2 or cloudflare.

------
ankit84
Another good alternative [https://beeceptor.com/](https://beeceptor.com/)

* named subdomain / endpoints

* Build Rest API and Mocking responses

* HTTP Intercepting

* HTTP Proxy pass

* nice UI, live updating, json formatting, sharable requests, etc

------
TekMol
Show me your pretty requests everybody:

[https://2f5799dcfb.endpoints.dev](https://2f5799dcfb.endpoints.dev)

# Update

Interesting:

\- Lots of IPV6 requests coming from HN.

\- What is the "dnt" header most requests carry?

~~~
jswny
It is the "Do Not Track" header[1], which indicates that the user doesn't want
to be tracked.

[1] [https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/DN...](https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/DNT)

~~~
TekMol
OMG. So people who do not want to be tracked voluntarely add another bit of
tracking data to their requests.

------
kayson
Right now the Headers column is essentially useless because the json renderer
doesn't seem to want to display beyond one level of depth so you just see
"[{...},{...},etc]". Can you make this more usable? Maybe add some kind of
expansion ui where it will pretty print the headers in multiple lines?

~~~
bozly
The header details can be expanded by clicking the ">" arrow to the left of
the "[{...},{...},etc]"

I think this could be a bit more intuitive though, thanks for the feedback!

~~~
kayson
Ah. Yes its not very intuitive. I would personally have used a "+". But I
think the bigger issue that makes it unintuitive is that the cursor CSS is set
on the entire <p> tag of the condensed JSON, but the click event is only set
on the ">". If you set the click on the entire <p> as well, then it becomes
more obvious that clicking the row does something.

------
mandaputtra
How do you generate that unique endpoint? Do you have some worker that
generates https config? Whats your magic ?

~~~
q3k
Not the author, but there's no config that needs to be generated. Just run a
HTTPS server with a wildcard cert that serves all traffic from a wildcard
'vhost' *.example.com to your application code. Then, your application can
just look at the Host header to see which 'endpoint' it should serve.

~~~
mandaputtra
Thanks! So I dont need to register every sub-domain? I thought that I must
register every sub domain name on my DNS config.

~~~
bozly
Wildcard DNS records (i.e. `*.example.com`) are your friend in situations like
this :)

