Launch HN: Requestly (YC W22) – Network debugging proxy for web and mobile
When developers work with APIs on their local machine, current experience is very broken. Requestly saves you time by letting you test your APIs faster without deployment on staging. Requestly also lets you simulate different failover and edge case scenarios which are hard to simulate without code changes.
Back in 2014, I was working on Adobe Target and I had a customer issue where the delivered campaign was showing FOUC (Flash of Unstyled Content) on the customer’s website and It was intermittent. It was so hard to debug with the minified production version of the script, I built a tool to perform a simple redirect of production JS to my locally running JS. I was then able to do logging and gradually pinpoint the exact issue and where I could optimize. My team and I debugged a lot of customer issues using this tool, which eventually became Requestly.
I just loved working on Requestly so I kept maintaining the project over weekends and supporting users. It started to gain traction organically and today it serves more than 40K monthly active users. In a later job at Blinkit (10min delivery platform in India), I saw how mobile app debugging is hard, and similar problems exist in backend development. I did a bit of both there and decided to work on Requestly full time to solve these problems.
You might have used solutions like Charles Proxy earlier! Charles is good and I am myself a huge fan, but when it comes to modification capabilities—setting up redirects or mocking API responses—it requires a lot of work. Collaboration is missing, data extraction and offline history are missing. It’d be fair to say that we are building a better alternative to Charles Proxy. We are also simplifying mobile app debugging by building a native SDK that anyone can connect to our Web.
Many users also confuse us with Postman. I’d clarify this as Postman is an API development platform, while Requestly is an API debugging and testing platform. For example - as a frontend engineer at Uber, I’d like to test how my app would react if the driver allocation API doesn’t respond on time - will there be an automatic retry, or does the app crash?
Requestly intercepts your local network traffic and provides capabilities like Mocking API Response, Simulate HTTP(s) Status Codes, Switching API endpoints, Redirect Production Traffic (or selective API) to stage/local environment, Inject scripts on web pages, and much more. Requestly is available as a browser extension on Chromium and Firefox, as well as a desktop app on MacOS, Windows, and Linux systems. You can download it at https://requestly.io/downloads We have a freemium model. The free plan has almost every feature but is limited to 3 modification rules. Our pricing is at https://app.requestly.io/pricing.
We are now building an open-source Android SDK that lets developers view their API traffic (and analytics events) on the web. This is in testing and planning to roll out very soon. This can be used by non-developers as well. Folks like product managers or digital marketers will be able to validate the analytics instrumentation easily. As a matter of fact, tools like Requestly are needed not only in development environments but also in production environments to debug distributed transactions. We are not there yet but we have plans to solve that problem too. One foot at a time :)
I’d love to hear your thoughts on the product expe...
86 comments
[ 4.0 ms ] story [ 312 ms ] threadI frequently use Charles/Fiddler, but always interested in new offerings. Congrats on the release!
https://youtu.be/gs02m2pZJlQ (Demo Video)
https://requestly.io/android-interceptor/ (WIP - Landing Page)
I'd be really happy to discuss further on this approach. I believe this is going to make things really easy for developers.
Curious on the body -- you showed some JSON requests, but do image resources or other larger responses also get proxied and viewable from browser?
For example, sometimes I like to view large minified JS blobs or images. Would that be viewable in the browser?
Also, what do the production vs debugging logs look like? Do you just run a special debugging build or is that a flag triggered within preferences? So e.g., would a user be able to turn debugging on to give extra logs to support staffs?
We provide the capability that you can disable the SDK in production builds and enable only in the debug builds. And yes we are going to provide the capability using which you can download or share the APIs and events sessions with your support staff.
Sure, it's a dev-tool and we're not as fussed about design. But the pricing page has so much going on at once that I struggled to concentrate on the product-offer. Same goes for the Homepage where I can see 7 different forms of accreditation before you explain what the product is. Have some video's, or animations showing the tool in action. I took me waaay too long to realise it wasn't a Postman offering.
Maybe A/B test the page with and without all the ratings/endorsements and see if one leads to better conversion.
I want to also give a shoutout to https://proxyman.io/. Proxyman is a native Mac App that also works as a local proxy and is a pleasure to use. I've been using it for similar workflows and can highly recommend it over Charles (the SSL handling alone is 100x simpler).
Requestly also lets you write a simple JS script to change something in the existing content. Here are some references for you - About Modify Response (https://requestly.io/feature/modify-response/), Change Status Code (https://stackoverflow.com/questions/50923170/simulate-fake-4...).
And yes, Requestly is available on Windows too.
Requestly feels good and there is a lot of potential for production debugging. I particularly like the switching of API endpoint so you can use the live prod website with a local API, super useful to debug.
This lets you send action commands to production without having a debug session into you K8S cloud.
So you can add a conditional snapshot (a breakpoint that doesn't break) to the set of green containers. E.g. I can add a snapshot that has a condition to only grab the data for user X. I'll get the result regardless of the container that actually handles the request.
I would recommend some sort of graphic on the homepage to explain what Requestly does though, as you mention it can be confused with Postman when it's entirely different. Maybe an animated flowchart type graphic showing how a browser request to X is redirected to Y based on some Requestly rule.
Do you mean to say we should have an animated flowchart for the hero image on the page?
[1] https://github.com/httptoolkit/frida-android-unpinning
I was looking for something like this. Tried mitmproxy but it was useless against cert pinning. So I went with decompiling the app to extract the auth keys and urls for the internal API it was using.
Something which I don't like is that every time I need the traffic to go through burp I need to go the WiFi settings and modify the "advance option" to use proxy. And if I keep the proxy settings on all the time then I've had issues with playstore and other such app, on the testing device. So that small bit of manual work is what I don't like.
In another comment[2] they mentioned they'll be releasing an android interceptor which would work without proxy, I think that would make me try this.
[1] [https://github.com/federicodotta/Brida](https://github.com/f...
[2] [https://news.ycombinator.com/item?id=30541263](https://news....
https://requestly.io/
https://portswigger.net/burp
https://dutzi.github.io/tamper/
https://anyproxy.io/en/
https://wproxy.org/whistle/
https://www.telerik.com/fiddler
https://github.com/alibaba/lightproxy
https://httptoolkit.tech/
https://mitmproxy.org/
https://wiki.squid-cache.org/Features/SslPeekAndSplice
https://www.charlesproxy.com/
https://nssurge.com/
https://wrapapi.com/proxy
https://www.privoxy.org/
http://www.tofuproxy.stargrave.org/
https://github.com/http-party/node-http-proxy
https://github.com/joeferner/node-http-mitm-proxy
https://www.zaproxy.org/
https://proxyman.io
UPDATE: did that myself, but wish someone takes over. I only check for new and better stuff once in 3 years. The community deserves someone better.
https://github.com/michaelkariv/awesome-requests-proxy-list
- Android device running Android 10 (generally using older versions is better) - Magisk for root + Trust User Certificates module - mitmproxy (sometimes using mitmweb) - ProxyDroid to connect to mitmproxy - Frida with a one of a handful open source SSL pinning bypass scripts (and a custom one at work)
When network requests aren't enough, I reach for JADX-GUI for decompilation and Frida (REPL and custom scripts) for extracting data at runtime (taking the necessary "cleanroom" precautions for commercial projects).
function modifyResponse(args) { const {method, url, response, responseType, requestHeaders, requestData, responseJSON} = args;
How challenging will it be to continue offering Chrome browser extension with the v3 manifest changes related to the blocking webRequest API? Does it impact requestly?
The Linux page, https://requestly.io/downloads/linux/, has MacOS instructions instead of Linux.
A couple of things which I see right away not being supported directly in Manifest V3 are like adding a random parameter to URL to avoid caching, Inserting a script before page load etc.
Apart from this, from a couple of folks whom I know have migrated to Manifest V3 their users have faced some issues So I'd be most likely wait for another 4-5 months before doing the migration. Do you have any pointers for v2 to v3 migration?
Thanks for the tip about the Linux page.