The HTTP Modifier allows you to modify HTTP traffic on the fly. This is useful for quickly testing a website or application without changing server code — for example, adding cookies to a request header, injecting CORS headers into a server response, or replacing content in the response body.
What Is the HTTP Modifier?
The HTTP Modifier is a built-in HTTP Debugger feature that modifies HTTP traffic on the fly. It intercepts outgoing requests and incoming responses and applies regex-based rules to add, remove, or replace headers and body content before delivery. You can use it to add cookies to a request header, inject CORS headers into a server response, change User-Agent strings, or rewrite HTML content — all without touching application or server code.
If you need to replace the entire server response rather than modify parts of it, use the Auto-Responder instead. Combined with the TCP/IP Redirector, the HTTP Modifier also enables transparent redirection of HTTP traffic between endpoints.
HTTP Modifier Settings
| Setting | Meaning |
|---|---|
| Modify What | select Request to modify outgoing traffic or Response to modify incoming traffic. |
| Application | type or select an application name to limit which process the rule applies to. If no application name is provided, the rule applies to all applications. It is recommended to specify an application name for precision and performance. |
| Protocol | select the protocol from the list to filter which traffic the rule targets. |
| Match Rules | provide one or more regex patterns to match the requests or responses you want to modify. Match rules are case-insensitive and apply only to HTTP headers. For outgoing traffic, patterns match request headers. For incoming traffic, patterns match both request and response headers. If more than one rule is provided, all rules must match for the modifier to trigger. |
| Modifier Rules | provide regex find-and-replace patterns to modify HTTP headers and/or body content. You can define as many modifier rules as needed. Grouping ($1, $2, etc.) and special symbols (\r, \n, \t) are supported. HTTP Debugger automatically recalculates the Content-Length header when the body content changes. When adding content modifier rules, ensure each rule includes a match rule for the correct content type to avoid corrupting binary content, such as images or compressed data. |
Match Rule Regex Examples
Match HTTP method and URL path:
^GET\s+/index\.html\s+HTTP/Match a response status code:
^HTTP/.+200Match by host name:
Host:.*httpdebugger\.comMatch by content type:
Content-Type:.*text/htmlModifier Rule Regex Examples
Append a new header to the end of the header block:
Regex: (?=\r\n\r\n)
Value: \r\nAccess-Control-Allow-Origin: *Delete an existing header:
Regex: User-Agent:.*\r\n
Value: Replace a header value using capture groups:
Regex: (Content-Length:).*(?=\r\n)
Value: $1 12345Replace an HTML tag in the response body:
Regex: (<title>).*(</title>)
Value: $1 new title $2Common Use Cases
CORS Header Testing
When a browser blocks cross-origin requests, use the HTTP Modifier to inject Access-Control-Allow-Origin and related CORS headers into responses — verify frontend behavior before configuring CORS on the backend.
Authentication and Cookie Injection
Testing expired tokens, missing cookies, or switched user roles normally requires logging in and out repeatedly. The HTTP Modifier automatically injects or replaces Authorization headers, Cookie values, or custom auth tokens on every matching request automatically.
Security Header Auditing
Headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options enforce browser security policies. The HTTP Modifier can temporarily remove or alter them to test how an application behaves without these protections.
Content and HTML Rewriting
Replace specific elements in the response body — page titles, script URLs, inline text — using regex patterns with capture groups. The Content-Length header is recalculated automatically.
Tips and Notes
- You can create a modifier rule directly from the traffic grid's context menu — right-click any captured request or response to generate a rule from its headers.
- Test outgoing HTTP modifier rules by visiting the View Browser Headers page.
- Browsers tend to cache connections, so you may need to restart the browser for changes to take effect.
- To improve performance, disable the HTTP Modifier when it is not in use.
- When adding body content modifier rules, always include a match rule for the proper content type.
HTTP Modifier FAQ
- What is the difference between modifying requests and responses? Request modification changes what the client sends to the server — auth tokens, User-Agent, custom headers. Response modification changes what the server returns — CORS policies, caching directives, security headers, body content.
- Can the HTTP Modifier change HTTPS traffic? Yes. HTTP Debugger decrypts HTTPS traffic transparently at the network level, enabling the HTTP Modifier to work with both HTTP and HTTPS sessions
- How is the HTTP Modifier different from the Auto-Responder? The HTTP Modifier modifies specific parts of a real request or response while the original transaction is still en route to the server. The Auto-Responder replaces the entire HTTP response with a predefined one — the request never reaches the origin.
- Does modifying the response body affect the Content-Length header? Yes. When body content changes size, Content-Length must be updated. HTTP Debugger recalculates this automatically.
- Can I apply multiple match rules at once? Yes. When multiple match rules are defined, all rules must match for the modifier to trigger. This lets you combine conditions — for example, targeting a specific host and content type together.
