
Open-source local-first HTTP debugging proxy for inspecting sensitive app traffic
Hi everyone,
I’m the developer of Rockxy.
Rockxy is an open-source native macOS HTTP/HTTPS debugging proxy for inspecting real app and API traffic locally.
I thought it might fit here because traffic debugging tools often see very sensitive data: auth headers, session tokens, cookies, internal APIs, GraphQL payloads, WebSocket messages, mobile app traffic, and sometimes production-like data during development.
Rockxy’s direction is local-first by default: capture and inspection happen on your Mac, and the project is open source so developers can inspect how the tool works instead of treating the proxy as a black box.
What it supports today:
- HTTP/HTTPS inspection
- WebSocket and GraphQL debugging
- macOS app, CLI, backend service, and iOS Simulator/device traffic
- Local certificate/proxy setup for HTTPS debugging
- Request/response inspection
- Breakpoints, Map Local, Map Remote
- HAR, cURL, JSON, raw, .rockxysession, and OpenAPI export
- Local-first workflow
Repo:
https://github.com/RockxyApp/Rockxy
Website:
I’m not posting this as a big launch. I’m mainly curious how privacy/security-minded developers think about traffic debugging tools.
A few questions:
- Do you trust local HTTP debugging proxies with sensitive traffic?
- What would make this kind of tool more trustworthy?
- Does open source matter for proxy/debugging tools?
- Would you prefer everything to stay local unless you explicitly export/share a session?
- What privacy/security mistakes should a tool like this avoid?