mitmproxy
Interactive HTTPS proxy for security testing and API analysis — intercepts, inspects, and modifies HTTP/HTTPS traffic. mitmproxy features: mitmproxy interactive TUI, mitmdump for automated capture, mitmweb browser UI, Python addons API (request/response hooks), SSL/TLS interception (transparent MitM), WebSocket support, HTTP/2 and HTTP/3, upstream proxy chaining, HAR export, flow manipulation (modification of requests/responses in flight), replay/fuzz flows, and scripting via Python addon scripts. Three frontends: interactive (mitmproxy), CLI (mitmdump), and web (mitmweb). Used for API security testing, mobile app traffic analysis, and agent HTTP traffic inspection.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Active MitM proxy — intercepted traffic contains auth tokens, passwords, PII; handle with strict access controls. mitmproxy CA private key at ~/.mitmproxy/mitmproxy-ca.pem must be protected. Only use on authorized systems and networks. Intercepted credentials must not be logged to unsecured files.
⚡ Reliability
Best When
Analyzing, testing, or debugging HTTP/HTTPS traffic for agent security assessment, API testing, or mobile app reverse engineering in authorized environments — mitmproxy's Python addon API enables programmable traffic manipulation that Burp Suite's community edition doesn't provide.
Avoid When
You need production traffic proxying, high-throughput processing, or are intercepting traffic without explicit authorization.
Use Cases
- • Agent HTTP traffic inspection — mitmdump -s addon.py — run addon.py script intercepting all traffic; class MyAddon: def response(self, flow): if 'api/agent' in flow.request.url: print(flow.response.json()) — agent intercepts and logs all API responses matching pattern
- • Agent request modification — class ModifyAddon: def request(self, flow): if 'Authorization' in flow.request.headers: flow.request.headers['Authorization'] = f'Bearer {new_token}' — agent replaces auth tokens in flight; API testing with different credentials without client modification
- • Agent traffic recording — mitmdump -w agent_traffic.flows — record all HTTP flows to file; mitmproxy -r agent_traffic.flows — replay recorded traffic; agent captures mobile app API calls for analysis and regression testing
- • Agent security testing — class FuzzAddon: def request(self, flow): flow.request.content = fuzz(flow.request.content) — modify request bodies with fuzzer; agent sends malformed requests to test API resilience; intercept and corrupt specific parameters
- • Agent certificate pinning bypass — mitmproxy with device trust store configured + Frida script disables pinning — agent inspects mobile app HTTPS traffic; reveals hidden APIs, authentication flows, and data collection patterns
Not For
- • Production proxy — mitmproxy is for testing; for production API gateway use Nginx, Kong, or Envoy
- • High-throughput proxying — mitmproxy Python processing adds latency; for high-performance TLS inspection use dedicated appliances
- • Unauthorized traffic interception — mitmproxy requires device trust of CA certificate; intercepting traffic without device owner consent is illegal
Interface
Authentication
No auth to mitmproxy itself (listen locally). Upstream proxy auth (username:password@proxy) supported. Target application auth credentials visible in intercepted traffic.
Pricing
mitmproxy is MIT licensed. Free for all use.
Agent Metadata
Known Gotchas
- ⚠ CA certificate must be trusted by client — mitmproxy generates unique CA certificate at ~/.mitmproxy/mitmproxy-ca.pem; client must trust this CA for TLS interception; mobile devices require installing cert to device trust store + disabling certificate pinning; agent certificate management is setup overhead for each test device
- ⚠ Addons must be in separate file — mitmdump -s addon.py requires addon.py in current directory or full path; inline scripts not supported in mitmdump; agent addon development must save to file and restart mitmdump to reload; no hot reload without mitmdump --watch flag (mitmproxy TUI supports it)
- ⚠ flow.request.content is bytes — flow.request.content returns bytes; JSON parsing requires: import json; data = json.loads(flow.request.content); modifying requires setting bytes: flow.request.content = json.dumps(new_data).encode(); agent addons mixing str/bytes get TypeError
- ⚠ HTTP/2 multiplexes multiple streams — mitmproxy handles HTTP/2 but flow.request ordering differs from HTTP/1.1; agent addons assuming sequential request ordering may misattribute responses to requests; use flow.id for request-response matching in HTTP/2 agent testing
- ⚠ Addon errors silently continue — if addon def request(self, flow) raises exception, mitmproxy logs error but continues; agent addons with bugs appear to work but don't modify flows; always add explicit logging and check mitmproxy error output during agent addon development
- ⚠ Memory grows with recorded flows — mitmdump without -w flag accumulates all flows in memory; agent long-running captures of high-traffic APIs exhaust memory; use mitmdump -w flows.file to stream to disk or implement flow.kill() for unneeded flows in addon
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for mitmproxy.
Scores are editorial opinions as of 2026-03-06.