How to use charles proxy

04.11.2021 3 Comments

how to use charles proxy

How to monitor your mobile device network traffic with Charles on OSX. To use Charles as a proxy, you first need to locate your own ip. Installing Charles SSL certificate on your device, and set up proxy. To use Charles as a proxy for your mobile app, you will need to download. Because Charles Proxy exposes encrypted traffic to a 3rd party (in this case your computer), there are security concerns inherent in its use.

youtube video

how to use Charles proxy

How to use Charles Proxy to rewrite HTTPS traffic for web applications

Posted by Tom Sabin on

Charles Proxy is an application that sits between your computer and the Internet to record HTTP(S) traffic. Most importantly for me, it has the ability to also modify a server’s HTTP response. I’ve been using Charles over the past few weeks to rewrite responses from our APIs and I’ve been slowly learning what Charles is capable of but also what it isn’t. Needless to say, there’s still a lot to learn, but the defining moment for me was when I was able to recreate a production bug, by replaying the JSON payloads to my local development server causing the same error to be raised.

When I first started using Charles Proxy, I was quite overwhelmed by the UI and how everything fitted together. This blog post will help you demystify the application, setup to inspect HTTPS traffic and demonstrate how to use Charles to rewrite requests and responses in three different ways.

For clarity, all examples in this post use Charles Proxy v4.2.7 for macOS Mojave.

Inspecting HTTPS traffic

If you haven’t already, I’d suggest downloading Charles and installing the app to follow along.

On the first boot you’ll be prompted with a dialog to automatically configure your network settings. You’ll need to Grant Privileges for Charles to work correctly.

Grant Privileges to Automatic macOS Proxy Configuration dialog

Once granted, the main interface will open and there will likely be a flurry of activity that shows up in the Structure view. This list will quickly become full of different domains, so you can Focus on specific ones by right clicking to only show focused domains. Alternatively, use the Filter search input found on the bottom left of the window.

Try reloading this page and you’ll notice that for HTTPS requests, all resources will show as <unknown>.

Encrpyted content

Fear not, for it is quite simple to install the Charles Root Certificate and configure individual URLs so that you can inspect the page’s contents.

Decrypted content

To get to this point, you’ll need to install the Charles Root Certificate. For macOS find Install Charles Root Certificate from Help → SSL Proxying in the menu bar to add the certificate to Keychain Access.

Add certification from Help item

If it doesn’t pop up, and only opens Keychain Access it’s likely you’ve installed it in the past - you should be able to find it by searching for Charles (just make sure you’ve got All Items selected before searching).

Once you’ve added the certificate, you need to double click to open the certificate window and change the Trust settings to Always Trust. Close the window to save.

Trusting certificate from Keychain Access

The last step is to configure a URL so that you can inspect the domain’s traffic. If this isn’t configured for the URL then you’ll see SSL Proxying not enabled for this host in the Notes row of how to use charles proxy Overview panel as shown below.

Notes row suggesting what to do next

As the note suggests, you’ll need to find SSL Proxying Settings from Proxy in the menu bar. Add the full domain (e.g. ) or make use of wildcards. Just avoid making an entry of only (wildcard): that will definitely start breaking all sorts of things unexpectedly.

You should now start to see the HTTPS traffic for that domain, try refreshing the browser page and you’ll notice as well that the icon next the domain has changed to a lightning bolt to show that SSL Proxying enabled for this host.

Rewriting traffic with Breakpoints

Now that we can inspect both HTTP and HTTPS traffic, we can start rewriting responses. The quickest way to achieve this is to use a Breakpoint. These are set up for specific resources (or Locations as they’re called in Charles Proxy) and will pause the response for us to modify before it reaches the client.

You can right click on any level of the resource tree structure to create a breakpoint.

Create breakpoint from right click

Without any dialogs or notification, this creates a Request & Response breakpoint. You can see the entry (and future ones) from Breakpoint Settings found in the Proxy menu bar item. If you don’t want to pause for requests (I have never needed this), you can configure the breakpoint to be only for responses - double click on the breakpoint entry and uncheck Request.

Edit Breakpoint dialog to uncheck Request option

The next time you make a request that matches the URL, Charles will show a new tab listing the responses and/or requests how to use charles proxy up. This queue can quickly become overwhelming if your matcher is too greedy, shows both requests and responses or that the site is making regular poll requests. The Status row will be helpful in determining what’s going.

Breakpoint tab with paused response

From within this tab, you can edit everything about the response: headers, cookies, JSON/HTML, etc. using the Edit Response subtab. Try changing the page’s response body using the different views available.

After you’ve edited something, you have a choice of actions to take:

  • Execute applies the changes and allow the response to reach its destination,
  • Cancel discards your changes but continues to send the response,
  • Abort kills the response, simulating a network failure.

Altered HTML in browser

Rewriting traffic with the Rewrite tool

Breakpoints are a quick way to rewrite payloads and modify status codes, but it becomes time consuming for responses you want to modify the same way each time. Thankfully, Charles has other features to make this easier. One how to use charles proxy them is called Rewrite and they can be used to modify almost everything about the request and/or response, without interuption and for each time they’re made.

We’ll use a Rewrite to modify the JSON body from (actual response shown below). Remember to setup a SSL Proxying setting for this new host.

First, copy the full URL of the endpoint and navigate to Rewrite from the Tools menu bar item. Enable Rewrite setting and add a new set. Then add a Location (URL) that defines the set. Paste the URL to the Host field and hit Tab ⇥ to auto deconstruct the URL into the relevant fields.

Create a Rewrite by pasting into the Host field

Now we can how to use charles proxy a Rewrite Rule to change the JSON response body to .

Rewrite response body with JSON value

The Match regex used here is optional for this particular example, but you may find it useful in the future to target only JSON-like responses. You may want to use this if you have CORS preflight requests that you don’t want to modify. Thanks to Austin on Stackoverflow for this workaround.

After the Rewrite Rule has been added, be sure to Apply the changes and make the request again. If you’ve used a browser to make these requests, you may need to force reload or disable cache. For our cURL output, we now have our modified response instead of the original:

In the Overview tab you’ll see a new row for Notes with so how to use charles proxy know when your rewrites are working correctly and or when they might not be correctly configured.

Notes row showing body has been altered

Rewriting traffic with Map Local

Another option you have to rewrite responses (and arguably the easiest one to manage) is Map Local. You’ll find this in both the Tools menu bar item and also at the bottom of the list when right clicking on a domain in the resource list. Let’s use the same example as before ( to try it out.

If you’re rewriting different paths and resources, the most flexible way of setting up a Mapping is to copy the path structure as folders. For our example above, we’d need a folder for each path segment and a file for the final resource that’ll contain our JSON response:

Next, when creating the Mapping, keep the Path field blank and set the Local path to to represent the site.

The next time the request is made, it’ll match the URL paths to our newly created directory structure and respond with the contents of the file.

Once again, you can verify that this is working if you take a look in the Overview tab and specifically the Notes row: .

Map Local setup with matching directory structure

I’d love for us to be using this in our development workflow, but unfortunately the Mapping cannot be filtered by HTTP method, which causes how to use charles proxy sorts of troubles for OPTIONS requests (used for CORS preflight requests). The preflight request matches the URL and therefore the response is rewritten and causes a bunch of browser errors, including:

Access to fetch at ‘[url]’ from origin has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

We’ve had to settle with using Rewrites instead, targeting responses that already have a JSON body, so we know Charles is not modifying the CORS response. For now, the workaround (matching the body to ) is working, but it’s definitely not as easy as using Map Local.

Future thoughts

When it comes to local development, Charles has become an invaluable tool to rewrite the API responses without the need to hack around the application code. However, keep in mind that this has been within the context of client side JavaScript making the requests. Some frontend web applications that we work on are backed by a Next.js server that also provides server side rendering. This server will also make requests to the same APIs, which currently show in Charles Proxy still as <unknown>. It seems that the process that is running the Node server isn’t using the web proxy that Charles’ automatically set up in my System Preferences from first application load. There’s likely a few more hoops that I need to jump through to configure the local server correctly.

I hope that future versions of Charles Proxy will support matching URLs also by HTTP methods not just for Breakpoints, as it’ll open the doors to using Map Local more often but also to not need workarounds for the Rewrite tool. But for now, those workarounds are working for us.

About Tom Sabin

A picture of Tom Sabin

My career in web development started in 2012 as a Ruby on Rails developer. Recently, I’ve moved up the stack to delve further into JavaScript, and specifically React.

Outside of work, you’ll find me climbing walls at Building One+ or VauxWall East.

You can also find me on Twitter as @tomsabin


Charles Proxy

Proxy server application

Charles Web Debugging Proxy is a cross-platform HTTP debugging proxy server application written in Java. It enables the user to view HTTP, HTTPS, HTTP/2[3] and enabled TCP port traffic accessed from, to, or via the local computer. This includes requests and responses including HTTP headers and metadata (e.g. cookies, caching and encoding information) with functionality targeted at assisting developers analyze connections and messaging.


  • Network message analysis – Charles shows full messaging sources of all HTTP and similar TCP-based communications that pass via its proxy port.
  • XML, JSON, SOAP interpretation – structured viewers that translate the raw HTTP content into a tree format for analysis.
  • HTML, CSS, JavaScript viewers – providing marked-up/formatted/unminified text content display
  • SSL debugging – allowing decryption of encrypted data to review/troubleshoot the transmitted content.
  • Bandwidth throttling – to simulate slower internet speeds by slowing down bandwidth/speed and introducing latency, for example to simulate a slower 3G connection.
  • Flash development aids – including Action Message Format (AMF) content analysis.
  • Debugging HTTP connections from mobile devices – providing a proxy between an iOS[4] or Android[5] device and a remote site, to debug HTTP connections and behavior that only occur on devices, including debugging video streaming issues, airplay issues, etc. that cannot be tested in the iOS simulator.
  • Remote file debugging – ability to swap out a remote file for a local file to aid debugging a remote site without requiring access to the server files.[6]
  • Debugging aids – such as repeating URL post requests to test server changes, adding breakpoints, or editing request variables.
  • Validation function – ability to right-click any proxy request, and provide validation feedback using the W3C Markup Validation Service, useful for content the W3C service otherwise cannot how to use charles proxy directly.

Browser support[edit]

Charles will autoconfigure for use on the following browsers:

  • IE (Windows system proxy settings)
  • Chrome
  • Firefox
  • Safari (Mac OS X or Windows system proxy settings)

See also[edit]


External links[edit]


Charles Proxy in Android emulator

In this article, we will discuss about how to capture the traffic of our Android application using a tool called Charles Proxy. I recommend you continue reading, you will love it! At least we love here at Apiumhub.  

Developing a Web application is immediately viewing and analyzing all HTTP requests that are made. Client requests and server responses are easily traceable and reproducible. Instead, when you are working with a mobile device, both physical and virtual, the analysis of this traffic is not as trivial.

Therefore we will present a tool that is very useful, as much in the case covered in this article, as in many others, Charles Proxy.

This tool can be used to monitor all HTTP and HTTPS traffic, using for it certificates that the Proxy itself provides us, with a duration of 24 hours.



First of all we will configure our Charles Proxy. To do this, let’s Proxy in the menu and follow those steps:


  • Proxy > Proxy Settings: We leave the port as default and activate “Enable transparent HTTP Proxying”

charles proxy


  • Proxy > lL Proxy Settings: Activate “Enable SSL Proxying” and we add a new entry in Locations (Host: *, Port: *)


Charles proxy




Once we set up Charles Proxy, we are going to set up our Android emulator. For that, when the time of launching it arrives, we will need to pass the IP of our Charles Proxy as an environment variable (in Charles Proxy: Help > Local IP Address), with something similar to the following command:

emulator -netdelay none -netspeed full -avd <emulador> -http-proxy http://<ip-proxy>:8888

banner blog

(If we have changed the port for another when we had to set up the Charles, we also have to change the port value)

Once the emulator is opened, we will install the certificate that gives us Charles Proxy by opening from our mobile browser this url. A dialog will automatically appear to install a new certificate on mobile as shown in the following picture: 


Charles proxy


It should be enough by putting a name and accepting the installation. Once all these steps are done, we go to Charlesproxy and click avast mobile security premium activation code the button “Start Recording” (Or also, from Proxy > Start Recording) and from now you will have any HTTP/HTTPS traffic exiting from the mobile. I leave you with a screenshot of the final result:


charles proxy


If you are interested in receiving job offers in Barcelona, tips regarding Charles Proxy and software development in general, subscribe to our newsletter here. 


If you enjoyed reading this article about Charles Proxy, you might like…



Before I leave you, I would just like to mention that if you’re looking for a new job opportunity as a software developer, you should definitely have a look at our job vacancies.



Almost every application these days communicates over HTTP: websites, RESTful services, and even SOAP APIs all make use of Hypertext Transfer Protocol. For the most part, we don’t worry too much about what is happening at the network level when we’re building these applications.

However, from time to time a problem will show up that needs us to drop to the level of the network to figure out what is going on. This is the story of one such situation and how using Fiddler or Charles could make your life much easier.

I was working with a relatively simple RESTful service which was actually hosted on the local machine. It was firewalled and I was interacting with it by pulling messages from Azure Service Bus, transforming them, and passing them to the local API. Everything was going well from Postman, the fantastic API test tool, but from the C# code I kept getting errors about being unauthorized. This API made use of Basic HTTP authentication, which passes a token in the HTTP headers. Postman showing an HTTP request against localhost.

I had already logged the HTTP headers I was sending in my C# code and they all looked correct. Why on earth was this not working? To debug this issue I needed to get into the raw packets being sent back and forth between the service and the API.

In general proxies can be used for all sorts of things:

  • caching data coming from external websites to reduce the amount of traffic going over the external interface.
  • caching data coming from your web server onto cheaper machines that don’t need to hit a database or render a complex page.
  • streamline the requests you make on your cell phone to reduce the bandwidth.

In this case, we want to simply log out all the information transmitted between the service and the API.

Try this before your next .NET push

Fiddler vs Charles

There are a number of good options that can fill the role of a logging proxy. Today we’ll look at Fiddler and Charles. Both these tools have been around for many years and are highly mature. Fiddler was recently (well if 2012 is still recent) bought by Telerik who now maintain it, but it was originally released in 2003. Even before Fiddler, the Charles proxy existed having been released in 2002. In what is almost a microcosm of the development environment back in the early 2000s, Fiddler was written in .NET and Charles in Java. After all these years both tools have picked up a pretty impressive suite of capabilities.

Let’s see how they can be used to solve my confusing HTTP API authentication problem, starting with Fiddler.


The installation package can be obtained from, and it’s relatively small and easy to install. For many years Fiddler was a standalone product, but fairly recently it was purchased by Telerik. They left the application free but have started development on a spin-off tool called FiddlerCore that will be the foundation of Fiddler going forward. You are also able to purchase FiddlerCore for use in your own applications should they need to capture traffic (You can read more about the future of Fiddler at I think there could be some very interesting applications built on top of FiddlerCore, but we’ll leave them for another article.

After Fiddler was installed I ran some requests through it and was immediately reminded that the API was using HTTPS. Putting a debugging proxy between a client and an HTTPS endpoint won’t work because HTTPS cannot be decrypted by the proxy. Fortunately, Fiddler offers a workaround where it will insert a new certificate in the SSL keychain and use that to fake a certificate for the endpoint.

HTTPS intercept options dialog. Selecting Decrypt HTTPS traffic will insert a new certificate in the certificate chain The HTTPS intercept options dialog. Selecting Decrypt HTTPS traffic will insert a new certificate in the certificate chain

With the SSL certificate in place, network traffic can now be intercepted. Here we can see the basic authentication token being passed to the server correctly. You can also see that the server responded with a 301 reply. That’s quite interesting because 301 indicates that the resource we’re looking for has moved and that the client should try the new location.

Fiddler showing the token being passed across the network connection Fiddler showing the token being passed across the network connection

The URL in the original request is /api/v1/companies/PTPTest/inventory/items, and the one to which the 301 redirects is /api/v1/companies/PTPTest/inventory/items/. The difference is subtle,  but the original URL is missing a trailing slash.

This highlights one of the differences between how Postman handles 301 redirects, and how they are handled by the HTTP client in .NET and specifically regarding the Authorize header. Postman preserves the header and sends it on the subsequent request. The HTTP client’s behavior is to strip the token on the next request. It isn’t clear from the HTTP spec what the correct behavior is here, but it seems that it is common to Mailbird Crack Registration Code Full Free Download Latest 2021 the Authorize header, possibly for security reasons or server compatibility. This explains why Postman worked fine, whereas the HTTP client failed with a permission error. Altering the URL on the .NET side to have the terminating slash (/) fixes everything.

Locating the error in Fiddler was fairly easy once the SSL Proxy was setup. The list of requests on the left-hand side and details on the right-hand side is pretty easy to understand. The interface does feel quite busy with multiple levels of tabs and then a great deal of wasted space. It is a user interface which was clearly created by a programmer.

Let’s try doing the same analysis using Charles.


Charles can be downloaded from their website. The Charles installation is painless and you can be up and running quickly. The one drawback to Charles is that it is not free. Licenses cost about $50 with some discounts available for purchasing multiple licenses. In my mind, $50 is a pretty reasonable amount to pay for a tool such as this.

Setting up Charles to handle HTTPS traffic is also quite easy. The setting can be found under the tools menu and is called SSL Proxying Settings (Proxying, incidentally, is a fantastic Scrabble word).

options dialog for SSL interception in Charles The options dialog how to use charles proxy SSL interception in Charles

Once again I was able to identify the token was being correctly passed to the 301 and then being stripped when the request was redirected. The layout of the screen was such that it is immediately obvious what the redirect did.

Charles showing the authorization header being passed as part of the request. It is clear what the redirect did by examining the next request below it in the top panel. Charles showing the authorization header being passed as part of the request. It is clear what the redirect did by examining the next request below it in the top panel.

The user interface in Charles is dramatically cleaner than Fiddler. The tab layout is nice and the vertical layout actually flows better than the left-to-right layout of Fiddler. It was easy to find the authorization token and the multiple requests to the server.

One of the useful features that Charles provides is the ability to limit bandwidth. This allows you to simulate how your site would perform on a variety of slower connection speeds.

Charles limits the bandwidth to a 56.6k modem.

Limiting the bandwidth to a 56.6k modem. Unfortunately, Charles does not include making modem connection sounds.

This can be done in Fiddler too, but it must be configured from the script editor which is far less friendly. Those with old eyes, like me, will notice the lack of high DPI support in the right pane of the editor too.

Charles limiting the bandwidth to modem speeds Limiting the bandwidth to modem speeds

At an initial glance, it might seem that to have a cleaner interface we might be losing out on a great deal of functionality in Charles. That may be the case but I could not find any common action that I how to use charles proxy do in Charles but could in Fiddler. Any advanced options in Fiddler were not missed, but my scenario was also quite simple.

Try this before your next .NET push


Fiddler provides some very advanced capabilities in its script editor. One can go about creating plugins to exercise quite complex and esoteric scenarios. There is even a site that lists a number of really nifty looking plugins for Fiddler. My favorite is the one which will rotate all the images that pass through the proxy – perfect for an April Fools joke.  Some of the plugins perform really advanced analysis of a site doing things like input fuzzing and generating content security policies. These extensibility points are simply missing from Charles.

For many years I’ve been a user of Fiddler – it has been my default go to. Both tools support HTTP2 so there is no fear that your slick new site won’t work in either tool. There is no question that Fiddler supports some much more advanced scenarios than Charles, but how to use charles proxy are scenarios that I’ve infrequently found a need how to use charles proxy in my career. With this in mind and knowing how much nicer the user experience is in Charles, I think I’ll probably switch my default tool to Charles. I’m certainly not going to uninstall Fiddler because it still has its place, but I just think that its place might be in a dusty corner into which I only reach when faced with the most unusual of problems.

Looking to improve your code while writing it? Download Stackify Prefix, the only dynamic code profiler for .NET for free.

About Simon Timms

Simon is a polyglot developer who has worked on everything from serial port drivers on an Android tablet, to NServiceBus, to processing tens of thousands of messages a second using stream analytics, to building Angular web applications. All that in the last year. He is the author of a number of books on JavaScript and ASP.NET and blogs far less regularly than he should on both the Western Dev's site ( and on his blog ( He is also the least visible member of the ASP.NET monsters ( His interests change as frequently as he changes his underwear. At the moment he is interested in F# and how AI is going to change how we develop software. He is a big picture specialist who can how to use charles proxy a cogent view of an entire system and pick the right technology to solve a problem.


Capturing network traffic is a useful method for debugging any application. Using a network proxy like Charles makes it very easy to see the data that your app is sending/recieving. This post will cover the steps to setup an iOS device to use Charles as a proxy.

More recently, I’ve found Proxyman to be an easier tool to setup and use compared to Charles.

🛠 Configure Charles

We’ll need to specify some eset nod32 antivirus crack 2019 - Crack Key For U configuration settings for Charles before we start capturing traffic.

  1. Verify the port that Charles can listen on. Default is. From the Menu go to Proxy then Proxy Settings. In the Proxies tab you’ll find the port #.
  2. Enable SSL Proxying. From the menu go to Proxy then SSL Proxying Settings. In the SSL Proxying tab make sure SSL Proxying is enabled. Also add a wildcard entry to capture everything for now. This can be changed later to filter out certain domains depending on what traffic you want to see. ssl_proxying
  3. Get the IP address. From the menu go to Help then SSL Proxying then Install Root Certificate on Mobile Device or Remote Browser. Make note of your computer’s IP address and port. ip_port
  4. Start the proxy if it didn’t autostart.

📱 Configure iPhone to use Proxy

Since I’m using an iPhone for this tutorial, these instruction will be specific to iOS. However similar steps will also work for Android.

  1. Connect to the proxy by configuring the Wi-Fi connection on the iPhone to use Charles. From the Settings Menu go to Wi-Fi, then tap the little next to the network you’re connect too. Then tap then Manual and add the IP and port from the previous steps.

  2. Accept prompt that pops up in Charles. You’ll know that a conection has started if you see this prompt.

  3. While connected to the proxy, download and install charles root certificate on the iPhone. After going to this url, follow all the prompts to download and install the cert.

  4. Enable the root cert by going to Settings, General, About, sroll to the bottom and tap Certificate Trust Settings. Enable the toggle for the root cert on that page.



iOS bug saving manual proxy configuration. If WinRar 6.02 Crack Full Version For PC Free Download 2021 happens, just forget the network and re-add it. I noticed this behavior on iOS 12.3.1.

This setup was all done with devices on the same LAN through Wi-Fi. I can’t speak for other configurations.

SSL Pinning

Some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles’s certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.

how to use charles proxy

Notice: Undefined variable: z_bot in /sites/ on line 178

Notice: Undefined variable: z_empty in /sites/ on line 178


Leave a Comment