Built for Security Workflows

HTTP Client.
Fuzz Engine.
Local First.

A Postman alternative crafted for pentesters and security engineers. Built with Tauri + React + Rust. No telemetry. No cloud required.

Download v1.0 View Source
Platform Windows · macOS · Linux License MIT
HttpFuzzer Screenshot
// Overview

Built Different.
For Those Who Break Things.

HTTP Client

Full-featured request builder with method support, custom headers, authentication, and response inspection. Everything you expect, nothing you don't need.

Fuzzing Engine

Built-in fuzzer inspired by ffuf. Define wordlists, set match conditions, configure threads. Discover endpoints without leaving the interface.

Privacy First

Your data stays on your machine. No accounts, no cloud sync by default, no telemetry. Collections stored locally in human-readable JSON.

// Features

Capabilities

HttpFuzzer Reqesting Screenshot

HTTP Request Workflows

Craft requests with precision. Support for all HTTP methods, custom headers, query parameters, and body formats. Variables, environments, and pre-request scripts for complex workflows.

  • GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
  • JSON, Form-Data, Raw, Binary body types
  • Environment variables & secrets management
  • Response history with diff comparison
HttpFuzzer Fuzzing Screenshot

Integrated Fuzzing Engine

No more context switching between your HTTP client and ffuf. HttpFuzzer brings fuzzing capabilities directly into your workflow with a familiar interface and powerful configuration.

  • Wordlist support with custom payloads
  • Multi-threaded concurrent requests
  • Match/filter by status code, size, words
  • Export results to JSON or CSV
~/.reqforge/collections/ 
├── pentest-project-alpha/
│   ├── collection.json
│   ├── environment.json
│   └── requests/
│       ├── auth-bypass.json
│       └── sql-injection.json
├── bug-bounty-targets/
│   └── collection.json
└── .sync-config # optional

Local-First Storage

Your collections live on your filesystem in plain JSON. Version control them with Git. Back them up how you want. No proprietary formats, no vendor lock-in.

  • Human-readable JSON format
  • Git-friendly structure
  • Import/export for sharing
  • Optional sync: GitHub, WebDAV, S3
// Under the Hood

Technical Stack & Philosophy

Tauri

Lightweight runtime with native system access. Smaller binaries than Electron, lower memory footprint, better security model.

Runtime

React

Component-based UI with TypeScript. Fast iteration, predictable state management, and a rich ecosystem.

Frontend

Rust

Performance-critical operations in Rust. Memory safety without garbage collection. Native speed for fuzzing and file operations.

Backend

Design Philosophy

Security by Default

No telemetry, no analytics, no phone-home. Your requests and collections never leave your machine unless you explicitly configure sync.

Offline Capable

Works entirely offline. No account required. No internet dependency for core functionality.

Transparent & Open

Open source under MIT license. Audit the code yourself. Contribute improvements. Fork it if you want.

// What's Next

Roadmap

Current Release

v1.0 — Foundation

  • Full HTTP client functionality
  • Built-in fuzzing engine
  • Local collection storage
  • JSON import/export
In Development

v1.x — Collaboration

  • Live collaboration over LAN/Wi-Fi
  • Real-time request sharing
  • Team collection sync
Exploring

v2.0 — AI Assist

  • AI-assisted cURL editing panel
  • Intelligent payload suggestions
  • Request optimization hints

Ready to Get Started?

Download HttpFuzzer for your platform. Free, open source, no strings attached.

Download for Windows Download for macOS Download for Linux

Or build from source:

git clone https://github.com/Xyloforge/http-fuzzer && cd http-fuzzer && cargo tauri build