Fine-grained HTTP filtering for Claude Code

88•ammario•4mo ago

Comments

simonw•4mo ago

This describes httpjail, a new Rust sandbox proxy tool: https://github.com/coder/httpjail

It works for any process, not just Claude Code. I got it working with Codex CLI like this:

  httpjail --js "r.host === 'chatgpt.com'" -- codex

After installing it using Cargo (and Homebrew):

  brew upgrade rust
  cargo install httpjail

I wrote more notes about it here: https://simonwillison.net/2025/Sep/19/httpjail/

moderation•4mo ago

Previously [0]

0. https://news.ycombinator.com/item?id=45307459

dang•4mo ago

We'll merge that comment hither. Thanks!

maxbond•4mo ago

The timestamps remained accurate! That's awesome.

mandrade2•4mo ago

> Allow only GET requests i.e. make the internet read-only

If only developers never made use of GET to modify resources...

https://www.reddit.com/r/webdev/comments/6999x7/comment/dh4v...

andy99•4mo ago

Am I misunderstanding this one? GET still sends information to another server, what is the "read only" aspect?

kookybakker•4mo ago

In theory a get request sent to a server should not have any side effects and only retrieve some data. In practice implemention is completely up to the developer and their rule is about as useful as putting up an exit sign to prevent people from entering your building.

ammario•4mo ago

I meant read-only there in the sense of mutability, not exfiltration.

Of course, some websites may permit mutations through GET so it’s probably only sensible to use alongside known hosts.

cmpaul•4mo ago

``` GET https://mysite.com/?query=all+the+secrets ```

nnikiforakis•4mo ago

As others mentioned, GET requests are supposed to be idempotent, i.e., you can send the same request 100 times and get the same response (with no server side-effects) 100 times.

GET requests are also easier to be abused in Cross Site Request Forgery (CSRF) attacks. Modern countermeasures in browsers (like SameSite cookies) will protect cross-origin POST and other state-changing methods, but will largely allow GET requests to go through while carrying session cookies.

userbinator•4mo ago

Ironically, your URL demonstrates this nicely, having a bunch of extra superfluous parameters that only serve to update some tracking database. Here is the "cleaned" URL: https://www.reddit.com/r/webdev/comments/6999x7/comment/dh4v...

I thought it'd be this old but memorable article: https://thedailywtf.com/articles/The_Spider_of_Doom

The Rise of Spec Driven Development

The first good Raspberry Pi Laptop

Seas to Rise Around the World – But Not in Greenland

Will Future Generations Think We're Gross?

State Department will delete Xitter posts from before Trump returned to office

Show HN: Verifiable server roundtrip demo for a decision interruption system

Impl Rust – Avro IDL Tool in Rust via Antlr

Stories from 25 Years of Software Development

minikeyvalue

Neomacs: GPU-accelerated Emacs with inline video, WebKit, and terminal via wgpu

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

How I grow my X presence?

What's the cost of the most expensive Super Bowl ad slot?

What if you just did a startup instead?

Hacking up your own shell completion (2020)

Show HN: Gorse 0.5 – Open-source recommender system with visual workflow editor

GLM-OCR: Accurate × Fast × Comprehensive

Local Agent Bench: Test 11 small LLMs on tool-calling judgment, on CPU, no GPU

Show HN: AboutMyProject – A public log for developer proof-of-work

Expertise, AI and Work of Future [video]

So Long to Cheap Books You Could Fit in Your Pocket

PID Controller

SpaceX Rocket Generates 100GW of Power, or 20% of US Electricity

Kubernetes MCP Server

I Built a Movie Recommendation Agent to Solve Movie Nights with My Wife

What were the first animals? The fierce sponge–jelly battle that just won't end

Sidestepping Evaluation Awareness and Anticipating Misalignment

OldMapsOnline

What It's Like to Be a Worm

Don't go to physics grad school and other cautionary tales