I've just released endpoints.dev - Use it to get a unique, private url that will store & display all http requests made to it. Use your unique URL with 3rd party tools to see what requests they are making, without needing to spin up a webserver. Or, use it for experimenting with XXS, phone-home, and other http based pen-testing.

"I've just released endpoints.dev ..."

This is a very interesting tool and I can think of some ways it would be useful to me, personally ...

If you'd like a free rsync.net account, as a thank-you, just email. Thank you for making this available.

Any advantages over http://requestbin.net/ ?

Looks like requestbin will only keep 20 requests for 48 hours. Currently, endpoints.dev will store an unlimited number of requests for 30 days. The plan is to add user login, and lift the 30 day limit for authenticated users.

Resources are never unlimited. Be smart and put some safe limits before the server gets abused, and either shutdown or bill you to death.

Very cool. You can also use osapy.com to inspect 3rd party API requests. Or even combine Osapy with endpoints.dev. I wrote a blogpost how to do that for retool.

In which direction do you want to develop the website?

Actually - just tried your website and it doesn't work for me. I tried curl -H "Content-Type: application/json" -d '{"message":"hello world"}' https://8ef216dd46.endpoints.dev and nothing happened. Maybe check your logs.

Are you running behind a load balancer on AWS? You might have to increase the idle connection timeout from the default (60 seconds). I use the max 4000s on hopps.io. Sending keep alive's to prevent the socket connection from closing also helps. Not sure if that's your issue, but worth looking into...

oh. you don't have live-updating. Sorry it works then.

Live updating should work - I'll investigate if there's any issues with the websocket api :)

Same, live updating didn't work but a page refresh did. I don't know much about websockets, but FWIW this request is still pending:

    Request URL: wss://ws.endpoints.dev/?token=redacted
    Request Method: GET
    Status Code: 101 Switching Protocols

it's normal for websockets to show as pending in devtools. Check the Messages tab

Fixing the real time update would be my only immediate feedback. Outside of that, this is a pretty nice app

Found the bug! Live updating should be working now

Live updating also not working for me. I do have uMatrix installed but I whitelisted your whole site for each column.

hmm - I can see a few requests have been received & stored for that endpoint.. It could be that your client killed the connection to the websocket api - does refreshing the page show the requests?

Same thing and worked a treat, with live updating... interesting.

Just out of curiosity, what's with all the freaky class names? Like class="sc-jTzLTM ipDHfO", class="sc-jzJRlG hdyVuB" etc.

they are auto generated by `styled-components` - a great option for "css in js" in the React ecosystem

Probably a preprocessor generating those..

Great project! There is also alternative site that I used before - https://webhook.site/

Thanks! webhook.site also looks great, I love their inclusion of an email address... I might take some inspiration from them in my next iteration ;)

Yeah webhook.site is great and I like the model

Feature request: give me a URL I can bookmark or share with team-mates for the HTTP inspector bit. It looks at the moment like I get a random URL to send requests to but I have to use the same browser to ensure that the endpoints.dev homepage knows who I am so it can show me the traffic.

Great idea, having a perma-link as an alternative to the browser cookie would be very nice - I'll add this to my list :)

I'm currently working on user accounts, which will eliminate the need to use the same browser.

Please do not require to login! The sharing via a second unique url would be great for teams and I could use it right away. If I have to convince all my colleges to login that would kill it for me :/

I understand the frustration of too many logins :)

If I do end up adding user accounts, it would only be to add extra functionality (persistent URLs etc) - the existing functionality + potential perma-link feature would all remain available without an account.

That's awesome! I like these. Yesterday I was looking for some website that would send me EventSource/SSE Messages so tjat I could test what is going on on Android...

Here's another server for testing HTTP: http://httpbin.org

Is the unique endpoint "secure/random" enough? I imagine you would end up with some amount of live session cookies, tokens, api keys, and so on, that would have some value for people guessing uris.

Edit: Ahh, missed the JWT pairing. I read "Pastebin for" too literally.

This was definitely a concern... Each unique subdomain is checked for collision before being assigned, so no two users will receive the same endpoint. Additionally, it is assigned with a jwt, so even if someone was to brute force an endpoint that has been assigned to someone else, they would not be authorized to see the request data.

If I knew somebody else's unique subdomain, I could set my browser cookie on my local computer to that value and it seems to just load the other subdomain just fine. I tested this with 2 different browser on my same laptop. Maybe it won't work if the other person is on another computer?

I could also just set the subdomain to anything I like (by setting the cookie value) and it still works just fine.

Ah no, I can still set the cookie to the other person's subdomain on another machine.

Edit: add extra sentence.

Edit2: format.

Oh boy, that's an embarrassing bug!

Found the issue, and I'm working on fix now

Edit: bug squashed - this should no longer be an issue

Some time ago I built a similar tool, with the main difference being that it doesn't store any data, so you need to have the webpage open to receive the request info. Since I use it mostly to debug issues and quickly inspect something of the fly, that works for me.

It is available here: https://github.com/dethos/webhook_logger

(You can quickly deploy it on your own server, if you don't trust a hosted service).

I like the simplicity! Some of the other options out there are pretty elaborate and not straightforward to get started.

One thing I'm always looking for in these is the docker run one liner. Because if I incorporate a tool into my work, how do I better ensure it's going to stay around by either pragmatic paid plan or OSS self host?

Thanks, simplicity is definitely what I am aiming for!

Making this an OSS project is the direction I plan to take - just need to tidy up the code a bit before making it public :)

The current implementation is serverless on AWS though, and most of the "complexitly" is in the infrastructure, so as convenient as they are, I don't think I'll aim to dockerize it.

Could you extend the headers by default?

It's annoying to have to click a super small > every time to extend. That doesn't look like a button and is too small to click by the way.

Is it running on HTTP/2? It's converting all headers to lowercase. Might be a side effect or HTTP/2 or cloudflare.

Another good alternative https://beeceptor.com/

* named subdomain / endpoints

* Build Rest API and Mocking responses

* HTTP Intercepting

* HTTP Proxy pass

* nice UI, live updating, json formatting, sharable requests, etc

Show me your pretty requests everybody:

https://2f5799dcfb.endpoints.dev

# Update

Interesting:

- Lots of IPV6 requests coming from HN.

- What is the "dnt" header most requests carry?

It is the "Do Not Track" header[1], which indicates that the user doesn't want to be tracked.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DN...

OMG. So people who do not want to be tracked voluntarely add another bit of tracking data to their requests.

> Lots of IPV6 requests coming from HN.

It's funny you mention that. I intentionally disable IPv6 a while back, because it kept breaking things for me.

At some point either the router reset or my OS settings did (or both) because I recently discovered it was back on, despite not doing so myself.

I'm guessing it's on by default in enough places now that you'll see mostly ipv6.

Right now the Headers column is essentially useless because the json renderer doesn't seem to want to display beyond one level of depth so you just see "[{...},{...},etc]". Can you make this more usable? Maybe add some kind of expansion ui where it will pretty print the headers in multiple lines?

The header details can be expanded by clicking the ">" arrow to the left of the "[{...},{...},etc]"

I think this could be a bit more intuitive though, thanks for the feedback!

Ah. Yes its not very intuitive. I would personally have used a "+". But I think the bigger issue that makes it unintuitive is that the cursor CSS is set on the entire <p> tag of the condensed JSON, but the click event is only set on the ">". If you set the click on the entire <p> as well, then it becomes more obvious that clicking the row does something.

How do you generate that unique endpoint? Do you have some worker that generates https config? Whats your magic ?

Not the author, but there's no config that needs to be generated. Just run a HTTPS server with a wildcard cert that serves all traffic from a wildcard 'vhost' *.example.com to your application code. Then, your application can just look at the Host header to see which 'endpoint' it should serve.

Thanks! So I dont need to register every sub-domain? I thought that I must register every sub domain name on my DNS config.

Wildcard DNS records (i.e. `*.example.com`) are your friend in situations like this :)

yep, that's exactly it :) - I'm using an ALB on AWS to manage the incoming requests

This StackOverflow post explains how it can be done with Nginx: https://stackoverflow.com/questions/12950572/nginx-wildcard-...