JunKangWorld
Application Security

Build with Hetty (dstotijn): 3 Powerful Uses in 2025

Discover why Hetty is becoming a go-to tool in 2025. We explore 3 powerful uses, from securing GraphQL APIs to integrating security into your CI/CD pipeline.

A

Alex Ivanov

A DevSecOps evangelist and application security specialist with a passion for open-source tools.

7 min read19 views

In the ever-accelerating world of software development, the tools we use for security and debugging often struggle to keep pace. As we march into 2025, monolithic architectures are relics, and our applications are complex constellations of APIs, microservices, and event-driven components. This is where Hetty, an open-source HTTP toolkit by Dustin Stotijn, is quietly becoming an indispensable asset for modern engineering teams.

So, What Exactly is Hetty?

Think of Hetty as a super-powered network proxy, a "man-in-the-middle" (MITM) tool designed for security research, API testing, and local development. Written in Go, it's incredibly lightweight and fast. You run it on your machine, point your application's traffic through it, and Hetty intercepts, logs, and displays every HTTP and HTTPS request in a clean web interface. Unlike some of its heavier, enterprise-focused counterparts, Hetty is built with a developer-first, open-source ethos. Its real power, however, lies in how perfectly it addresses the challenges of today's development paradigms.

Use Case 1: Taming the Modern API Beast (GraphQL & gRPC)

The Challenge with Modern APIs

Traditional REST APIs are straightforward for most proxies to handle. But what happens when you're dealing with GraphQL or gRPC, the darlings of modern API development?

  • GraphQL: It typically uses a single endpoint (e.g., /graphql) for all operations. This makes it difficult for older tools to distinguish between a request to fetch user data and one to delete a product. They just see a generic POST request, hiding the true intent within the request body.
  • gRPC: This high-performance framework uses Protocol Buffers (Protobuf) over HTTP/2. The payload is binary, not human-readable JSON. Trying to inspect a gRPC request with a standard proxy often results in a screen full of gibberish, making debugging a nightmare.

How Hetty Shines in 2025

Hetty was built for this new world. It has first-class support for both GraphQL and gRPC, automatically parsing their payloads into a human-readable format. Instead of an indecipherable binary stream for a gRPC call, you'll see the actual service, method, and message content. For GraphQL, Hetty intelligently dissects the query or mutation from the request body, giving you a clear, searchable log of operations.

For a security researcher, this means you can easily spot issues like excessive data exposure in a GraphQL response or insecure data being passed between gRPC services. For a developer, it means you can finally see what's going on, cutting down debugging time from hours to minutes.

Advertisement

Embedding Security in Your CI/CD Pipeline

The DevSecOps Imperative

"Shift-left" isn't just a buzzword anymore; it's a necessity. The goal of DevSecOps is to integrate security practices directly into the development lifecycle, not bolt them on at the end. This means running automated security checks every time code is committed or a new build is created. However, many traditional security tools are GUI-based, resource-heavy, and not designed for automation.

Hetty as Your Automated Security Guard

Because Hetty is a lightweight, single binary written in Go, it's a perfect fit for CI/CD environments. You can easily script its startup and shutdown as part of your pipeline. Imagine a scenario:

  1. Your CI/CD pipeline builds your application and starts it in a test environment.
  2. The pipeline then starts Hetty.
  3. Automated integration tests run, with all their API traffic routed through Hetty.
  4. A custom script then queries Hetty's logs (or a future API endpoint) to check for security red flags: Are any requests leaking API keys? Are we seeing unexpected error codes that suggest a vulnerability? Is sensitive PII present in a URL?
  5. If a red flag is found, the build fails automatically, preventing the vulnerable code from ever reaching production.

This approach makes security a proactive, automated part of development. Here’s how Hetty stacks up against some common alternatives for this specific use case:

Feature Hetty Burp Suite Pro OWASP ZAP
Cost Free (Open Source) Paid (Per User/Year) Free (Open Source)
CI/CD Automation Excellent (Lightweight binary, scriptable) Possible (via extensions/APIs, but complex) Good (Daemon mode, extensive API)
Resource Footprint Very Low High (Java-based, GUI-focused) Medium-High (Java-based)
GraphQL/gRPC Support Excellent (Native) Good (via extensions) Limited (requires add-ons)
Ease of Setup Trivial (Single binary) Moderate (Installer, licensing) Moderate (Installer, Java dependency)

A Developer’s Secret Weapon for Microservices

The Microservice Maze

You're running your application locally using Docker Compose. The `auth-service` needs to talk to the `user-service`, which in turn calls the `profile-service`. You make a request from the frontend, and it fails. Where did it go wrong? Is the `auth-service` sending a malformed JWT? Is the `user-service` timing out when calling the `profile-service`? Without proper observability, you're flying blind, reduced to sprinkling `console.log` statements everywhere and hoping for the best.

Gaining X-Ray Vision with Hetty

This is where Hetty becomes a developer's best friend. By configuring your local services to use Hetty as their HTTP proxy, you create a central chokepoint where you can observe all inter-service communication. Suddenly, the black box is wide open.

You can instantly see the exact request flow:

  • The frontend's initial call.
  • The `auth-service`'s response with the token.
  • The subsequent request to the `user-service` with its `Authorization` header.
  • The `user-service`'s downstream call to the `profile-service`.

With Hetty's clear, searchable interface, you can quickly pinpoint the failing service. You can inspect headers, analyze request and response bodies, and even use its "Sender" module to replay and modify a request to test a fix without having to restart your entire application stack. It's a powerful, low-friction way to debug the complex interactions that define modern cloud-native applications.

Final Thoughts: Why Hetty Belongs in Your 2025 Toolkit

Hetty isn't trying to be a heavyweight, all-in-one security platform. Its strength lies in its focus and simplicity. It's a sharp, precise tool that solves the very real problems faced by developers and security engineers working with modern architectures.

Key Takeaways:

  • It's Built for Modern APIs: Native support for GraphQL and gRPC makes it superior for testing and debugging these protocols.
  • It's Perfect for Automation: Its lightweight, scriptable nature makes it a prime candidate for integration into DevSecOps CI/CD pipelines.
  • It's a Developer's Debugging Dream: It provides invaluable visibility into complex microservice interactions during local development.

As we continue to build more complex, distributed systems, the need for tools that provide clarity and control without adding overhead will only grow. Hetty hits that sweet spot perfectly. If you haven't already, head over to its GitHub repository and give it a try. It might just become the most valuable tool in your 2025 arsenal.

Tags

#hetty#api security#devsecops#graphql#security testing

You May Also Like