JunKangWorld
Web Security

Quick Start Hetty (dstotijn): 5 Key Steps for 2025

Ready to master HTTP analysis in 2025? Our quick start guide walks you through 5 key steps to install, configure, and effectively use Hetty for security research.

A

Alex Rivera

A security engineer and developer advocate specializing in network analysis and open-source tools.

7 min read23 views

Quick Start Hetty (dstotijn): 5 Key Steps for 2025

In the ever-evolving landscape of web development and cybersecurity, having the right tools to inspect and understand HTTP traffic is no longer a luxury—it's a necessity. Whether you're debugging a tricky API integration, analyzing an application's security posture, or simply curious about what your devices are sending over the network, a capable HTTP toolkit is indispensable. While powerful tools like Burp Suite and Charles Proxy have long dominated this space, a simpler, more modern alternative has been gaining traction: Hetty.

Hetty, an open-source HTTP toolkit for security research by Dennis Stötijn, is designed with simplicity and a streamlined workflow in mind. It operates as a man-in-the-middle (MITM) proxy, intercepting traffic between your machine and the internet. What sets it apart is its clean, web-based user interface and its project-based approach, which helps you stay organized and focused on the task at hand without getting lost in a sea of network noise.

If you're looking for a user-friendly yet powerful tool to add to your arsenal in 2025, you've come to the right place. This guide will walk you through five key steps to get you up and running with Hetty, from installation to capturing and analyzing your first requests.

Step 1: Installation and Setup

Getting Hetty onto your system is refreshingly straightforward. Unlike some complex security tools, you don't need a lengthy installation wizard. The developers provide pre-compiled binaries for all major operating systems, which is the recommended path for most users.

Installing Hetty

  1. Navigate to the official Hetty GitHub Releases page.
  2. Download the latest binary for your operating system (e.g., hetty_x.x.x_darwin_amd64 for macOS, hetty_x.x.x_windows_amd64.exe for Windows, or hetty_x.x.x_linux_amd64 for Linux).
  3. (Optional but recommended) Move the binary to a location in your system's PATH, like /usr/local/bin on macOS/Linux or a dedicated tools folder on Windows. This allows you to run it from any terminal window.

For those who prefer to build from source and have Go installed, you can simply run:

go install github.com/dstotijn/hetty/cmd/hetty@latest

Running Hetty for the First Time

Once installed, open your terminal and run the command:

hetty

That's it! You should see output indicating that the server has started. By default, Hetty's web interface runs on port 8080, and it also uses this port for the proxy server itself.

Now, open your web browser and navigate to http://localhost:8080. You'll be greeted by Hetty's clean and intuitive dashboard. You're officially up and running!

Step 2: Generating and Trusting the CA Certificate

To inspect HTTPS traffic (which is most web traffic today), Hetty needs to perform a man-in-the-middle interception. It does this by generating its own Certificate Authority (CA) and using it to issue certificates for the domains you visit. For your browser to accept these on-the-fly certificates without screaming with security warnings, you must first tell your operating system to trust Hetty's root CA.

Generating the CA Certificate

Advertisement

This part is incredibly simple with Hetty. In the web interface you opened in the last step, you'll likely see a prominent message about the CA certificate. If not, click on the shield icon or navigate to the certificate menu.

Hetty automatically generates a CA certificate for you. All you need to do is download it. Look for a link or button that says something like "Download CA Certificate" and save the hetty-ca.pem file to a memorable location.

Trusting the CA Certificate on Your System

This is the most platform-specific part of the setup. You need to import and trust the hetty-ca.pem file.

  • On macOS: Open the Keychain Access app. Go to File > Import Items... and select your hetty-ca.pem file. Make sure to import it into the "login" or "System" keychain. Then, double-click the newly imported "Hetty CA" certificate, expand the "Trust" section, and set "When using this certificate" to "Always Trust".
  • On Windows: Press Win + R, type certmgr.msc, and hit Enter. Right-click on "Trusted Root Certification Authorities", then go to All Tasks > Import.... Follow the wizard, browsing to your hetty-ca.pem file. Place the certificate in the "Trusted Root Certification Authorities" store.
  • On Linux (Debian/Ubuntu): Copy the .pem file to /usr/local/share/ca-certificates/ as a .crt file. Then run sudo update-ca-certificates.

Note: Firefox manages its own certificate store. To trust the CA in Firefox, go to Settings > Privacy & Security > Certificates > View Certificates..., click the "Authorities" tab, press "Import...", and select your hetty-ca.pem file. Check the box to "Trust this CA to identify websites."

Step 3: Configuring Your Browser or Device

Now that your system trusts Hetty, you need to direct your web traffic to it. This means configuring your browser or operating system to use Hetty as an HTTP and HTTPS proxy.

The settings are always the same:

  • Proxy Server/Host: 127.0.0.1 (or localhost)
  • Port: 8080
Browser Proxy Configuration
Browser Configuration Method
Firefox Has its own network settings. Go to Settings > General > Network Settings > Settings.... Select "Manual proxy configuration" and enter the host and port for both HTTP and HTTPS.
Google Chrome / Edge / Safari These browsers typically use the operating system's proxy settings. You'll need to configure this in your OS network settings (e.g., System Settings on macOS, Proxy Settings on Windows).

For quick toggling, using a browser extension like FoxyProxy or Proxy SwitchyOmega is highly recommended. You can create a profile for Hetty and switch it on and off with a single click, which is much more convenient than digging into settings every time.

Step 4: Capturing and Analyzing Your First Request

This is where the magic happens. With Hetty running and your browser configured, simply start browsing the web. Visit a site like https://example.com.

Switch back to the Hetty web interface at http://localhost:8080. You should see the request log on the left-hand side start to populate. Congratulations, you're intercepting traffic!

Click on any request in the log to open the main analysis panel. Here you'll find everything you need:

  • Request: View the full raw request, including the method, path, headers, and body.
  • Response: View the server's response, including the status code, headers, and body.
  • Formatted Previews: Hetty automatically formats common content types like JSON, HTML, and images, making them easy to read. You can toggle between "Raw," "Pretty," and "Preview" views.

Take a moment to click around. Inspect the headers of a request to an API. Look at the JSON response and see how it's structured. The immediate, clear feedback loop is one of Hetty's greatest strengths.

Step 5: Leveraging Projects and Scopes

One of Hetty's standout features is its organizational structure. If you just let it run, it will capture all traffic from your browser, which can be overwhelming. This is where Projects and Scopes come in.

Using Projects

Think of a Project as a dedicated workspace for a specific task. For example, you might create a project for "Testing My Web App's Login API" or "Analyzing Third-Party Trackers." In the Hetty UI, you can create a new project from the main menu. All subsequent captured requests will be stored within that active project, keeping your work clean and separated.

Defining Scopes for surgical precision

Scopes are the real power-up. A scope defines a set of rules that tell Hetty what traffic to capture and what to ignore. This is crucial for reducing noise.

Let's say you're only interested in the API calls your application makes to api.yourapp.com. You can set a scope to only include that domain.

  1. Make sure you have a Project active.
  2. Navigate to the "Scope" section for that project.
  3. Add a new rule. Set the "URL (wildcard)" field to something like: *api.yourapp.com*.

Now, Hetty will only log requests where the URL matches that pattern. All other traffic (to Google, to CDNs, to analytics services) will be passed through without being logged, leaving your request log pristine and focused on what truly matters to you. This simple feature transforms Hetty from a blunt instrument into a surgical tool.

Conclusion: What's Next?

In just five steps, you've gone from zero to having a fully functional, modern MITM proxy. You've installed Hetty, configured it to decrypt HTTPS, and learned how to use its core organizational features to focus your analysis. This foundation is all you need to start tackling real-world debugging and security research tasks.

From here, your journey can go in several directions. You could explore Hetty's Sender module to modify and resend requests, a key technique for API testing and security validation. You could dive into its native support for GraphQL, or even contribute to the open-source project on GitHub. Hetty's simplicity is its strength, providing a powerful yet approachable entry point into the world of network analysis.

So go ahead, fire it up for your next project, and enjoy the clarity and control it brings to understanding HTTP traffic.

Tags

#Hetty#HTTP Proxy#MITM#Security Research#API Debugging

You May Also Like