Fiddler

Description

Eric Lawrence in 2003 wrote the first version of Fiddler while working at Microsoft. He built it to help his team debug traffic that was coming over the internet through the browser to Internet Explorer and Microsoft Windows — a proxy that would sit between the browser and the internet, logging every request and response so developers could see exactly what was being sent and received. More than two decades later, Fiddler is one of the most widely used in the industry as an effective tool for debugging the Hypertext Transfer Protocol (HTTP), now maintained by Progress Software, and available in a free classic version for Windows and a cross-platform commercial version called Fiddler Everywhere.

A web debugging proxy is used to intercept the traffic of an application and a server over the http and https protocol. Fiddler is able to capture that traffic and display it as a readable log so that developers, QA engineers, and security researchers can examine the request headers, response bodies, cookies, authentication tokens, redirects, and timing data. Beyond passive inspection, Fiddler can alter requests and responses on the fly — modifying headers, swapping out content, simulating network conditions, and replaying saved sessions — making it useful for testing how applications behave under conditions that can be hard to reproduce through normal use.

ORIGINS AND DEVELOPMENT

Lawrence made Fiddler free to use and public in 2003, making it available to developers outside Microsoft. The problem of debugging over the network (HTTP) that it solved was real and common — developers building web applications needed to see real traffic between their code and servers, and the browser’s built-in developer tools of the time were limited. Fiddler filled the gap and gained a huge user base among Windows developers and network administrators.

Telerik, a Bulgarian software company that is famous for developer tools and UI components, bought Fiddler in 2012. Telerik was then acquired by Progress Software in 2014 and Fiddler was included as part of the Telerik portfolio. Lawrence left and continued working on browser technology, while Progress continued to develop Fiddler Classic and later created Fiddler Everywhere as a rebuilt, cross-platform version.

Fiddler Everywhere was launched as a subscription product aimed at professional development teams with capabilities that go beyond what Fiddler Classic provided: a collaborative session sharing system, a more polished interface, the ability to test APIs, a mock server, and support for macOS and Linux. Fiddler Classic is still available for free to Windows users who prefer the original interface or who need a tool without the costs of subscribing to it.

Traffic Capture and Inspection

Fiddler registers itself as a system proxy and redirects all the http and https traffic from the machine through its capture engine. Each request and response is a row in the session list with URL, method, status code, response size and timing. Selecting any session will open the entire request and response in an inspector panel with views for headers, body content, cookies, query parameters and raw data. For the case of HTTPS traffic, Fiddler installs a root certificate to decrypt and display encrypted content — the installation of the root certificate is required to display the HTTPS traffic in plain text.

Request and Response Modification

The Composer panel allows users to manually build new HTTP requests and send them without any browser or application. The AutoResponder feature intercepts certain URL patterns and returns custom responses — a developer can redirect a production API call to a local test server, return a saved response file instead of making a live network request, or simulate the return of an error code as an HTTP response for testing error handling code. The FiddlerScript system, based on JScript.NET, enables custom rules that can run on every captured session, changing headers, logging data, or triggering an alert based on the content of traffic.

HTTPS Decryption

Most modern web traffic is encrypted with the SSL, otherwise known as the https encryption, which would render packet capture useless without decryption. Fiddler is a trusted man-in-the-middle: It uses its own certificate to the application and uses the real certificate of the server to make the actual connection. This requires the root CA certificate of Fiddler to be installed as trusted on the system. The setup is standard practice for development and testing environments, where developers require the ability to inspect their own application’s encrypted traffic.

Performance Analysis

The Timeline tab is a visualization of the timing of sessions, indicating when each request began, how long it took the server to respond, and how long the transfer took. The Statistics panel summarizes a selected group of sessions with total bytes transferred, request counts and timing distributions. These views help developers to identify slow API calls, large assets and requests that block page rendering.

Fiddler Everywhere: API Testing and Collaboration

Fiddler Everywhere adds functionality beyond the classic version’s focus on debugging. A full API testing environment allows teams to create and organize collections of http requests with variable substitution, environment switching between development, staging and production configurations, and automated test assertions on response content. Teams can share saved sessions, request collections, and API mock configurations via a cloud workspace, which makes Fiddler Everywhere good for collaborative QA workflows (vs. individual developer debugging alone).

Mock Server

Fiddler Everywhere’s mock server generates the creation of http endpoints that respond with defined responses without the need of connecting to any kind of backend server. Frontend developers use mock servers to develop UI code before the backend API is complete.