Options
The options section tunes the proxy's automatic URL handling. Currently it exposes a single subsection — rewrite — that controls how aggressively the proxy detects and rewrites URLs that appear in proxied content.
Shape
options: {
rewrite: {
global: {
auto_detect_urls: true,
auto_rewrite_urls: true
}
requests: [
{ trigger: { hostname: "akira.lab.evilginx.com" }, options: { auto_rewrite_urls: true } }
]
responses: [
{ trigger: { hostname: "akira.lab.evilginx.com" }, options: { auto_rewrite_urls: true } }
]
}
}
Three scopes are evaluated in order of increasing specificity:
global��— defaults applied to every proxied request and response.requests[]— per-trigger overrides applied to matching outgoing requests.responses[]— per-trigger overrides applied to matching incoming responses.
For a given packet, the most specific scope wins: a matching requests[] / responses[] entry overrides global.
Available toggles
The same two fields are valid in every scope.
| Field | Type | Default | Description |
|---|---|---|---|
auto_detect_urls | bool | false | When true, the proxy scans proxied bodies for URLs and adds the discovered hostnames to the proxied host set. Newly added hosts get a random subdomain. Useful for sprawling SPAs that load assets from unpredictable third-party domains. |
auto_rewrite_urls | bool | true | When true, the proxy rewrites known proxied hostnames it finds in bodies and headers, replacing them with their phishing equivalents (previously called autofilter). |
auto_detect_urls requires auto_rewrite_urlsauto_detect_urls only adds hosts to the proxied set; the rewrite of the content is still performed by auto_rewrite_urls. Disable both if you want no URL rewriting at all; enable just auto_rewrite_urls if you want to rewrite only hosts you explicitly listed in proxy.hosts.
Per-trigger overrides
Each entry under requests[] or responses[] is an object with two fields:
| Field | Type | Required | Description |
|---|---|---|---|
trigger | trigger | yes | Selects which requests/responses this override applies to. |
options | object | yes | The toggles above, used to override the matching scope of global. |
A typical pattern: keep auto_detect_urls off globally (to avoid surprises), and turn it on for the one or two host names that load assets from many third-party domains.
options: {
rewrite: {
global: { auto_rewrite_urls: true }
responses: [
{
trigger: { hostname: "app.example.com", mime_types: ["text/html"] },
options: { auto_detect_urls: true }
}
]
}
}