diff --git a/_config.yml b/_config.yml index b0d31832..36e1ace9 100644 --- a/_config.yml +++ b/_config.yml @@ -24,6 +24,9 @@ navigation: modify-and-filter-traffic: title: Modify & Filter Traffic position: 50 + mcp-server: + title: MCP Server + position: 55 compose-api-requests: title: Compose API Requests position: 60 diff --git a/installation-and-setup/managed-app-configuration.md b/installation-and-setup/managed-app-configuration.md index c1bdcf3f..9ef6222d 100644 --- a/installation-and-setup/managed-app-configuration.md +++ b/installation-and-setup/managed-app-configuration.md @@ -36,6 +36,7 @@ IT teams managing macOS systems can apply app configuration using their preferre | `DisableVpnHostBypass` | Disables Fiddler's automatic VPN bypass. | integer | 1 | | `CustomCACertificate` | DER-encoded base64 string of a custom certificate. | string | `` | | `CustomCACertificatePrivateKey` | DER-encoded base64 string of the private key. | string | `` | +| `DisableMCP` | Enables or disables the Fiddler Everywhere MCP server | integer | 1 | >important Even with **DisableCloud** enabled, users still need access to [required Fiddler Everywhere API endpoints]({%slug first_steps_windows%}#prerequisites). For environments with limited internet access, consider using [Fiddler's offline mode](https://www.telerik.com/blogs/offline-mode-fiddler-everywhere). @@ -106,6 +107,7 @@ HKEY_CURRENT_USER\SOFTWARE\Policies\Progress\Fiddler Everywhere | `DisableVpnHostBypass` | Disables Fiddler's automatic VPN bypass. | DWORD-32 (hexadecimal) | 1 | | `CustomCACertificate` | DER-encoded base64 string of a custom certificate. | String Value | `` | | `CustomCACertificatePrivateKey` | DER-encoded base64 string of the private key. | String Value | `` | +| `DisableMCP` | Enables or disables the Fiddler Everywhere MCP server | DWORD-32 (hexadecimal) | `1` | --- diff --git a/mcp-server/fiddler-mcp-server.md b/mcp-server/fiddler-mcp-server.md new file mode 100644 index 00000000..d04a8ed9 --- /dev/null +++ b/mcp-server/fiddler-mcp-server.md @@ -0,0 +1,146 @@ +--- +title: Fiddler MCP Server +page_title: Fiddler MCP Server +description: "Learn how to install, configure, and use the Fiddler Everywhere MCP server to integrate captured HTTPS traffic analysis with AI-powered IDEs and development tools." +slug: fiddler-mcp-server +publish: true +position: 1 +--- + +# Fiddler MCP Server + +The Fiddler Everywhere MCP (Model Context Protocol) server lets you interact with LLM models and reach new levels of developer productivity. The MCP server provides proprietary context to AI-powered IDEs, apps, and tools. You can use the Fiddler Everywhere MCP server for comprehensive analysis of captured HTTPS traffic, including web debugging, security highlights, performance reports, data extraction, and general usage. The Fiddler MCP enables you to successfully prompt more complex questions and tasks, and generate tailored code based on the information received from the captured HTTPS traffic. + +## Prerequisites + +To use the Fiddler Everywhere MCP server, you need: + +- The latest version of Fiddler Everywhere. +- An active internet connection. +- A unique API Key for the Fiddler Everywhere MCP server (generated within the application). +- A compatible MCP client (IDE, code editor, or app) that supports MCP tools. + +## Installation + +The generic settings for the Fiddler Everywhere MCP server are: + +* **Server name handle**: `#fiddler` (default value - can be customized through **Settings > MCP Server**) +* **Server type**: `http` +* **Server URL**: `http://localhost:8868/mcp` (default value - the port can be customized through **Settings > MCP Server**) +* **Authorization**: A generated unique API key to be placed as an `Authorization` header. + +### Visual Studio Code + +To enable the Fiddler Everywhere MCP server in Visual Studio Code, follow these steps: + +1. Start the Fiddler Everywhere application. +2. Go to **Settings > MCP Server** and complete the following: + * Set the MCP server port (default value is `8868`). + * Generate a unique API Key. + * Copy the generated JSON configuration from the **VSCode** tab. +3. Open your Visual Studio Code workspace and complete the following: + * Create a `.vscode/mcp.json` file in your workspace. + * Paste the copied Fiddler Everywhere MCP configuration. Ensure that the JSON is properly formatted and that the Fiddler MCP server is within the `servers` property. + + _example mcp.json file in VSCode with Fiddler Evereywhere MCP server_ + ```JSON + { + "servers": { + "fiddler": { + "type": "http", + "url": "http://localhost:8868/mcp", + "headers": { + "Authorization": "ApiKey FIDDLER_API_KEY_HERE" + } + } + } + } + ``` +4. Start the Fiddler Everywhere MCP server in Visual Studio Code. + +### Cursor + +To enable the Fiddler Everywhere MCP server in Cursor, follow these steps: + +1. Start the Fiddler Everywhere application. +2. Go to **Settings > MCP Server** and complete the following: + * Set the MCP server port (default value is `8868`). + * Generate a unique API Key. + * Copy the generated JSON configuration from the **Cursor** tab. +3. Open your Cursor workspace and complete the following: + * Create a `.cursor/mcp.json` file in your workspace. + * Paste the copied Fiddler Everywhere MCP configuration. Ensure that the JSON is properly formatted and that the Fiddler MCP server is within the `mcpServers` property. + + _example mcp.json file in Cursor with Fiddler Evereywhere MCP server_ + ```JSON + { + "mcpServers": { + "fiddler": { + "url": "http://localhost:8868/mcp", + "headers": { + "Authorization": "ApiKey FIDDLER_API_KEY_HERE" + } + } + } + } + ``` +4. Start the Fiddler Everywhere MCP server in Cursor. + +## Usage + +To use the Fiddler Everywhere MCP server: + +1. Start the Fiddler Everywhere application. +2. Configure the MCP server in your IDE: + * [Visual Studio Code](#visual-studio-code) + * [Cursor](#cursor) + * Or any other compatible IDE that supports MCP servers with tools. +3. Enable the **agent mode** in your IDE. +4. Start your prompt with `#fiddler` (or with `#` followed by your custom server name, if configured). + +The MCP server will provide context from your captured HTTPS traffic to enhance your MCP-assisted development workflow. + +>tip You can jump start your MCP journey by exploring our [prompt library]({%slug fiddler_ai_prompt_library%}) + + +### Supported Capturing Modes + +The Fiddler Everywhere MCP server supports the following capturing modes: + +- [Browser capturing mode]({%slug capture-browser-traffic%}) +- [Terminal capturing mode]({%slug capture-terminal-traffic%}) +- [Reverse proxy]({%slug fiddler-reverse-proxy%}) + +## MCP Output Sanitization + +The Fiddler Everywhere application provides a sanitization tool that automatically removes sensitive data from the output passed to the MCP server. The data sanitization feature enables users to minimize the risk of disclosing specific information. + +>important Even with the feature enabled, Fiddler will attempt to sanitize the captured traffic, but complete removal of sensitive data is not guaranteed. The user is responsible for verifying the output and preventing unintended disclosure. + +By default, the sanitization is enabled for all data passing through the MCP server. You can control what type of data to sanitize or add more strict rules through the **Settings > Sanitization** section. + +## MCP Access Policies + +The Fiddler Everywhere application provides managed application policies through its Fiddler Everywhere Enterprise tier. The `DisableMCP` policy enables license administrators to completely restrict access to the Fiddler Everywhere MCP server for licensed users. + +### Windows + +IT teams managing Windows systems can apply app configuration keys using their preferred administrative tooling by setting values in the following registry path: + +``` +HKEY_CURRENT_USER\SOFTWARE\Policies\Progress\Fiddler Everywhere +``` + +| Key Name | Description | Value Type | Value Example | +|:---------|:------------|:-----------|:--------------| +| `DisableMCP` | Enables or disables the Fiddler Everywhere MCP server | DWORD-32 (hexadecimal) | `1` | + +### macOS + +IT teams managing macOS systems can apply app configuration using their preferred device management solution (such as Jamf, Intune, or similar) by setting the following keys: + +| Key Name | Description | Value Type | Value Example | +|:---------|:------------|:-----------|:--------------| +| `DisableMCP` | Enables or disables the Fiddler Everywhere MCP server | integer | `1` | + +For more information on using managed application configurations, refer to the [Managed Application Policies]({%slug fe-restrict-policies%}) article. diff --git a/mcp-server/prompt-library.md b/mcp-server/prompt-library.md new file mode 100644 index 00000000..c6c98821 --- /dev/null +++ b/mcp-server/prompt-library.md @@ -0,0 +1,344 @@ +--- +title: Prompt Library +page_title: Fiddler Everywhere AI Prompt Library +description: "Explore built-in and custom AI prompts for the Fiddler Everywhere MCP server to analyze HTTP traffic, debug applications, optimize performance, and enhance your development workflow." +slug: fiddler_ai_prompt_library +position: 10 +--- + +# Fiddler Everywhere Prompt Library + +Welcome to the Fiddler Everywhere Prompt Library—your comprehensive resource for AI-powered HTTP traffic analysis and debugging. + +This library provides ready-to-use prompts optimized for the Fiddler Everywhere [MCP Server]({%slug fiddler-mcp-server%}). Whether you're performing web debugging, security analysis, performance optimization, or data extraction, these prompts will help you maximize productivity by leveraging AI assistance with your captured HTTPS traffic. + +>tip Start with the [built-in prompts](#built-in-mcp-prompts) for quick actions, or explore [custom prompts](#custom-prompts) for advanced scenarios. + +## Built-in MCP Prompts + +The Fiddler Everywhere MCP server includes predefined system prompts for common operations. These built-in prompts provide quick access to Fiddler's core functionality directly from your AI-powered IDE. + +### How to Use Built-in Prompts + +1. Start your AI-powered IDE in **agent mode**. +2. Type `/mcp.fiddler.` to display all available built-in prompts. +3. Select the desired prompt or continue typing to autocomplete. + +### Available Built-in Prompts + +#### Authentication and Status + +```sh +/mcp.fiddler.initiate-login +``` +Initiates the login process to authenticate with Fiddler Everywhere. + +```sh +/mcp.fiddler.is-user-logged-in +``` +Checks the current authentication status to verify if the user is logged in to Fiddler Everywhere. + +```sh +/mcp.fiddler.get-status +``` +Retrieves the current operational status of Fiddler Everywhere, including capturing state and connection information. + +#### Certificate Management + +```sh +/mcp.fiddler.open-trust-root-certificate-dialog +``` +Opens the system dialog for trusting the Fiddler root certificate, required for HTTPS traffic decryption. + +#### Traffic Capturing + +```sh +/mcp.fiddler.start-capture-with-terminal +``` +Starts a new Terminal instance with Fiddler proxy settings automatically configured for capturing command-line traffic. + +```sh +/mcp.fiddler.start-capture-with-chrome +``` +Launches a new Chrome browser instance with Fiddler proxy settings pre-configured for capturing web traffic. + +#### Session Management + +```sh +/mcp.fiddler.get-sessions-count +``` +Returns the total number of currently captured sessions in Fiddler Everywhere. + +```sh +/mcp.fiddler.get-sessions +``` +Retrieves the currently captured sessions with optional filters applied for targeted analysis. + +```sh +/mcp.fiddler.get-session-details +``` +Fetches detailed information about a specific session. You will be prompted to provide the session ID. + +```sh +/mcp.fiddler.clear-sessions +``` +Clears all currently captured sessions from Fiddler Everywhere. + +#### Reverse Proxy Operations + +```sh +/mcp.fiddler.add-reverse-proxy-port +``` +Configures a reverse proxy in Fiddler. You will be prompted for: +- Client port to listen on (1025-65535) +- Remote host to forward traffic to + +```sh +/mcp.fiddler.remove-reverse-proxy-port +``` +Removes a previously configured reverse proxy port. You will be prompted for the client port number. + +```sh +/mcp.fiddler.enable-reverse-proxy +``` +Activates the reverse proxy functionality in Fiddler Everywhere. + +```sh +/mcp.fiddler.disable-reverse-proxy +``` +Deactivates the reverse proxy functionality in Fiddler Everywhere. + +## Custom Prompts + +Beyond the built-in prompts, you can use natural language to create custom prompts tailored to your specific debugging and analysis needs. The Fiddler Everywhere MCP server understands conversational queries and can perform complex operations based on your instructions. + +All custom prompts in this library use the `#fiddler` handle to target the [MCP Server]({%slug fiddler-mcp-server%}). Ensure you have [installed and enabled the MCP Server]({%slug fiddler-mcp-server%}#installation) before using these prompts. + +### How to Use Custom Prompts + +1. **Browse** the prompt library to find a prompt that matches your use case. +2. **Copy** the prompt text, including the `#fiddler` handle. +3. **Customize** (optional) the prompt for your specific scenario, replacing placeholders like `{keyword}`, `{clientPort}`, or `{remoteHost}` with actual values. +4. **Run** the prompt in your AI-powered IDE's agent mode. + +>warning Always review and validate the code, configurations, and solutions proposed by AI-powered tools before applying them to your production environment. + +### Capture and Session Management + +Start capturing traffic and manage your sessions with these essential prompts: + +``` +#fiddler Start capturing HTTP traffic in Fiddler using Chrome +``` + +``` +#fiddler Start capturing HTTP traffic in Fiddler using a Terminal +``` + +``` +#fiddler Add a reverse proxy, listening on {clientPort} and forwarding traffic to {remoteHost} +``` + +``` +#fiddler Disable the reverse proxy +``` + +``` +#fiddler Apply a filter to capture traffic that contains localhost +``` + +``` +#fiddler Apply a filter to capture traffic that contains {keyword} +``` + +``` +#fiddler Show filtered sessions +``` + +``` +#fiddler Clear all filters +``` + +``` +#fiddler Clear all captured sessions +``` + +### Traffic Analysis + +Analyze captured HTTP traffic to understand application behavior and identify issues: + +``` +#fiddler Analyze the captured HTTP traffic +``` + +``` +#fiddler Analyze session with ID {sessionId} +``` + +``` +#fiddler Summarize all API calls made to {domain} +``` + +``` +#fiddler Show me all failed requests (status codes 4xx and 5xx) +``` + +``` +#fiddler List all sessions with response times greater than 2 seconds +``` + +``` +#fiddler Extract all unique domains from the captured traffic +``` + +### Security Analysis + +Identify security vulnerabilities and sensitive data exposure: + +``` +#fiddler Does the filtered sessions contain sanitized data +``` + +``` +#fiddler Analyze the captured sessions for leaked sensitive data +``` + +``` +#fiddler Analyze the captured sessions and suggest security optimizations +``` + +``` +#fiddler Check for insecure HTTP connections in the captured traffic +``` + +``` +#fiddler Identify sessions with weak or missing security headers +``` + +``` +#fiddler Find all sessions containing authentication tokens or API keys +``` + +### Performance Analysis + +Optimize application performance by analyzing timing and resource usage: + +``` +#fiddler Analyze the captured sessions and suggest performance optimizations +``` + +``` +#fiddler Extract statistical data and timings from the traffic related to {domain} +``` + +``` +#fiddler Identify the slowest API endpoints in the captured traffic +``` + +``` +#fiddler Show me all sessions with large response bodies (>1MB) +``` + +``` +#fiddler Analyze caching efficiency for the captured sessions +``` + +``` +#fiddler Calculate the total bandwidth consumed by the captured traffic +``` + +### Rules and Automation + +Create and manage rules to modify traffic behavior: + +``` +#fiddler Create a rule to match all sessions from {domain} and replace "{oldText}" with "{newText}" in the response bodies +``` + +``` +#fiddler Delete all rules created from the MCP +``` + +``` +#fiddler Create a rule to add a custom header "X-Debug-Mode: true" to all requests to {domain} +``` + +### Comprehensive Reporting + +Generate detailed reports combining multiple analysis aspects: + +``` +#fiddler Analyze the captured session related to {domain} and create a comprehensive report that covers site purposes, used technologies, security highlights, and possible technical and performance optimizations +``` + +``` +#fiddler Create a detailed API documentation based on the captured REST API calls to {domain} +``` + +``` +#fiddler Generate a security audit report for all sessions captured from {domain} +``` + +``` +#fiddler Create a performance benchmark report showing response times, payload sizes, and optimization recommendations +``` + +### Debugging and Troubleshooting + +Use these prompts to diagnose and resolve issues: + +``` +#fiddler Help me debug why my application can't connect to {endpoint} +``` + +``` +#fiddler Explain the CORS errors in the captured traffic +``` + +``` +#fiddler Show me the request/response chain for session ID {sessionId} +``` + +``` +#fiddler Compare the headers between session {sessionId1} and session {sessionId2} +``` + +``` +#fiddler Find all redirect chains in the captured traffic +``` + +### Data Extraction + +Extract specific information from captured traffic for further analysis: + +``` +#fiddler Extract all GraphQL queries from the captured sessions +``` + +``` +#fiddler List all WebSocket connections and their messages +``` + +``` +#fiddler Export all POST request bodies from sessions to {domain} +``` + +``` +#fiddler Extract all JSON responses from the captured API calls +``` + +## Tips for Creating Effective Custom Prompts + +When crafting your own custom prompts, consider these best practices: + +- **Be specific**: Include domain names, session IDs, or specific criteria to narrow down the analysis. +- **Use filters**: Apply filters before complex analysis to reduce processing time and improve accuracy. +- **Combine operations**: Ask for multiple related tasks in a single prompt (e.g., "analyze and create a report"). +- **Leverage context**: Reference previous prompts or analyses to build on earlier work. +- **Iterate**: Start with broad questions and refine based on the results. + +## See Also + +* [Fiddler Everywhere MCP Server Overview]({%slug fiddler-mcp-server%}) +* [Security Highlights]({%slug fe-security-highlights%}) +* [Data Sanitization]({%slug fe-sanitization%}) \ No newline at end of file diff --git a/security/sanitization.md b/security/sanitization.md new file mode 100644 index 00000000..60da2e45 --- /dev/null +++ b/security/sanitization.md @@ -0,0 +1,151 @@ +--- +title: Data Sanitization +description: "Configure data sanitization in Fiddler Everywhere to automatically remove sensitive information from captured HTTPS traffic before saving, exporting, or sharing with the MCP server." +slug: fe-sanitization +position: 40 +--- + +# Data Sanitization + +The Fiddler Everywhere application provides data sanitization capabilities to automatically remove sensitive information from captured HTTPS traffic. This feature helps protect confidential data before performing actions such as saving sessions, exporting snapshots, or passing information to the Fiddler Everywhere MCP server. + +Data sanitization is configurable through the **Settings > Sanitization** section. By default, the sanitization process is enabled only for MCP output. + +>important Fiddler Everywhere attempts to sanitize HTTP(S) traffic, but complete removal of sensitive data is not guaranteed. Unstructured, encrypted, compressed, obfuscated, or binary data may bypass the sanitization process. Each user is responsible for verifying the sanitization results and preventing unintended disclosure of sensitive information. + +## Configuring Sanitization + +The **Sanitization** settings screen provides comprehensive options to control how and when your captured traffic data is sanitized. + +### Mask Value + +- **Mask** - Specifies the string value used to replace sanitized data. The default mask is typically `***SANITIZED***`, but you can customize it to any value that suits your needs. + +### When to Sanitize + +Control when sanitization occurs by enabling or disabling sanitization for specific actions: + +- **On Save** - Automatically sanitizes session snapshots before any save operation in Fiddler Everywhere. Enable this option to ensure saved sessions does not contain sensitive data locally. +- **On Export** - Automatically sanitizes session snapshots before any export operation in Fiddler Everywhere. Enable this option when sharing exported files with team members or external parties. +- **On MCP Output** - Automatically sanitizes session snapshots before data is sent to the Fiddler Everywhere MCP server. This option is **enabled by default** to protect sensitive information from being processed by AI models. + +>tip Enable all three sanitization options if you regularly work with highly sensitive data or need to comply with strict data protection policies. + +### Parts of the Session to Sanitize + +Specify which components of the HTTP(S) traffic should be sanitized. Sanitization applies both default rules and custom rules configured in the **Additional Settings** section: + +- **Sanitize URL** - Masks sensitive parameters and path segments in request URLs (e.g., API keys, tokens, user IDs). +- **Sanitize Headers** - Masks sensitive HTTP headers such as `Authorization`, `Cookie`, `X-API-Key`, and other custom headers containing credentials or tokens. +- **Sanitize Cookies** - Masks cookie values that may contain session identifiers, authentication tokens, or user-specific data. +- **Sanitize Request Body** - Masks sensitive data within HTTP request bodies, such as passwords, credit card numbers, personal information, or proprietary data. +- **Sanitize Response Body** - Masks sensitive data within HTTP response bodies, including user data, API responses containing secrets, or any confidential information returned by servers. +- **Strip Request Body** - Completely removes all HTTP request bodies from sessions. Use this option when request bodies consistently contain highly sensitive data that should not be stored at all. +- **Strip Response Body** - Completely removes all HTTP response bodies from sessions. Use this option when response bodies consistently contain highly sensitive data that should not be stored at all. + +>important The difference between "Sanitize" and "Strip" options: Sanitization replaces sensitive values with the mask string while preserving the structure of the data. Stripping completely removes the entire body content, which may affect your ability to debug or analyze the traffic later. + +### Additional Settings + +Enhance the sanitization process by defining custom rules to target specific sensitive data patterns: + +- **Headers** - Add custom HTTP header names that should always be sanitized, beyond the default headers. Useful for application-specific authentication headers or proprietary security tokens. +- **Keywords** - Specify keywords or phrases that should be masked wherever they appear in URLs, headers, or bodies. Examples include company names, project codenames, or specific sensitive terms. +- **Regular Expression Patterns** - Define regex patterns to match and sanitize complex data formats such as: + - Credit card numbers: `\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b` + - Email addresses: `\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b` + - Social security numbers, phone numbers, or other sensitive identifiers + +>tip Test your custom sanitization rules with sample traffic to ensure they correctly identify and mask sensitive data without over-sanitizing useful debugging information. + +## Best Practices + +When using data sanitization in Fiddler Everywhere, consider the following best practices: + +- **Always verify sanitization results** - Review sanitized sessions before sharing to confirm that all sensitive data has been properly masked. +- **Enable MCP sanitization by default** - Keep the "On MCP Output" option enabled to prevent inadvertent exposure of sensitive data to AI models. +- **Use appropriate sanitization scope** - Balance security needs with debugging requirements. Over-sanitization may hinder troubleshooting efforts. +- **Combine with password protection** - Use sanitization in conjunction with [password-protected sessions]({%slug fe-security-highlights%}#saving-traffic) for multiple layers of security. +- **Document custom rules** - Maintain documentation of custom sanitization rules, especially regex patterns, for team collaboration and compliance audits. +- **Regular rule review** - Periodically review and update sanitization rules as your application evolves and new sensitive data types are introduced. + + +## Sanitization Policies + +Fiddler Everywhere Enterprise provides managed application policies that enable IT administrators to centrally control sanitization settings across their organization. The `DefaultSanitizationSettings` and `DisableSanitizationSettingsUpdate` policies allow administrators to enforce consistent data protection standards and prevent users from modifying sanitization configurations. + +### Policy Configuration Keys + +The following policies are available for managing sanitization behavior: + +- **DefaultSanitizationSettings** - Defines the default sanitization configuration applied when users launch Fiddler Everywhere. This policy allows administrators to pre-configure sanitization options including the mask value, which traffic components to sanitize, when to sanitize, and custom sanitization rules. + +- **DisableSanitizationSettingsUpdate** - When enabled, this policy locks the sanitization settings and prevents end users from modifying the configuration through the Fiddler Everywhere user interface. This ensures compliance with organizational data protection policies. + +### Windows Configuration + +IT teams managing Windows systems can apply sanitization policies using Group Policy, registry scripts, or endpoint management tools. Set the following registry values under: + +``` +HKEY_CURRENT_USER\SOFTWARE\Policies\Progress\Fiddler Everywhere +``` + +| Key Name | Value Type | Description | Example Value | +|:---------|:-----------|:------------|:--------------| +| `DefaultSanitizationSettings` | REG_SZ (string) | JSON object defining default sanitization configuration. All properties are optional; omitted properties use Fiddler Everywhere defaults. | See JSON structure below | +| `DisableSanitizationSettingsUpdate` | REG_DWORD | Locks sanitization settings to prevent user modifications. Set to `1` to enable, `0` to disable. | `0x00000001` (1) | + +#### DefaultSanitizationSettings JSON Structure + +The `DefaultSanitizationSettings` value accepts a JSON object with the following optional properties: + +```json +{ + "mask": "***SANITIZED***", + "sanitizeUrl": true, + "sanitizeHeaders": true, + "sanitizeCookies": true, + "sanitizeRequestBody": true, + "sanitizeResponseBody": true, + "stripRequestBody": false, + "stripResponseBody": false, + "sanitizeOnSave": false, + "sanitizeOnExport": false, + "sanitizeMcpOutput": true, + "additionalHeaders": "X-Custom-Auth, X-Internal-Token, X-My-Test-Header", + "additionalKeywords": "confidential, proprietary, test", + "additionalRegexes": "\\b\\d{3}-\\d{2}-\\d{4}\\b" +} +``` + +**Property Descriptions:** + +- `mask` - String value used to replace sanitized data (default: `"***SANITIZED***"`) +- `sanitizeUrl`, `sanitizeHeaders`, `sanitizeCookies`, `sanitizeRequestBody`, `sanitizeResponseBody` - Boolean values controlling which traffic components are sanitized +- `stripRequestBody`, `stripResponseBody` - Boolean values controlling whether to completely remove body content +- `sanitizeOnSave`, `sanitizeOnExport`, `sanitizeMcpOutput` - Boolean values controlling when sanitization occurs +- `additionalHeaders` - Array of custom header names to sanitize (can be `null` or omitted) +- `additionalKeywords` - Array of keywords to mask throughout traffic (can be `null` or omitted) +- `additionalRegexes` - Array of regular expression patterns for advanced sanitization (can be `null` or omitted) + +>tip When setting registry values programmatically, ensure the JSON string is properly escaped. For manual registry editing, paste the JSON as a single-line string value. + +### macOS Configuration + +IT teams managing macOS systems can apply sanitization policies using Mobile Device Management (MDM) solutions such as Jamf Pro, Microsoft Intune, or Apple's Profile Manager. Configure the following managed preferences: + +| Key Name | Value Type | Description | Example Value | +|:---------|:-----------|:------------|:--------------| +| `DefaultSanitizationSettings` | String | JSON object defining default sanitization configuration. All properties are optional; omitted properties use Fiddler Everywhere defaults. | See JSON structure above | +| `DisableSanitizationSettingsUpdate` | Integer | Locks sanitization settings to prevent user modifications. Set to `1` to enable, `0` to disable. | `1` | + +The JSON structure and property descriptions for `DefaultSanitizationSettings` are identical to the Windows configuration described above. + +>important Managed preferences on macOS require proper MDM enrollment and configuration profile deployment. Test policy application in a non-production environment before enterprise-wide rollout. + +For comprehensive information on deploying managed application configurations, refer to the [Managed Application Policies]({%slug fe-restrict-policies%}) article. + +## See Also + +- [Security Highlights]({%slug fe-security-highlights%}) +- [Using the Fiddler MCP Server]({%slug fiddler-mcp-server%}) \ No newline at end of file diff --git a/security/security-highlights.md b/security/security-highlights.md index 29fc7399..f9a2608b 100644 --- a/security/security-highlights.md +++ b/security/security-highlights.md @@ -1,6 +1,6 @@ --- title: Security Highlights -description: "Security considerations when using Fiddler Everywhere as a proxy." +description: "Learn about essential security considerations, best practices, and safeguards when using Fiddler Everywhere as a proxy, including data protection, sanitization, and MCP server security." slug: fe-security-highlights publish: true position: 30 @@ -11,23 +11,15 @@ position: 30 While using Fiddler Everywhere, consider the following security indicators and highlights: - With the initial state for [the system capturing option]({%slug capture-traffic-get-started%}#system-capturing), Fiddler Everywhere will capture only non-secure HTTP traffic. This traffic is not encrypted and can expose sensitive information like visited URLs, internal API endpoints, etc. - - With the initial state for [the independent browser capturing option]({%slug capture-traffic-get-started%}#browser-capturing), Fiddler Everywhere will capture both non-secure HTTP and secure HTTPS traffic. The Fiddler Everywhere application will decrypt the HTTPS traffic. - - Fiddler Everywhere generates a unique root CA (certificate authority). Avoid sharing this certificate with anyone as it can pose a significant security threat (for example, anyone with access to that certificate can decrypt your HTTPS traffic). - - When HTTPS capturing is enabled, the captured data will contain readable, usually decrypted information. Share that data with trusted parties only and carefully consider what the requests and responses include. - +- Fiddler Everywhere provides [data sanitization]({%slug fe-sanitization%}) capabilities to help remove sensitive information before saving, exporting, or passing data to the MCP server. However, complete removal of sensitive data is not guaranteed as unstructured, encrypted, compressed, obfuscated, or binary data may bypass sanitization. Users are responsible for verifying the sanitization results. - All users accessing the Fiddler Everywhere application or saved sessions can also access the captured data. - -- Fiddler enables to usage of password protection to prevent unauthorized access to saved sessions stored locally or in the cloud. Fiddler stores all saved sessions as SAZ files and, using the password protection option adds 256-bit AES encryption. Anyone with access to the SAZ file can open unprotected saves. - +- Fiddler enables the usage of password protection to prevent unauthorized access to saved sessions stored locally or in the cloud. Fiddler stores all saved sessions as SAZ files, and using the password protection option adds 256-bit AES encryption. Anyone with access to the SAZ file can open unprotected saves. - Fiddler Everywhere will not store your data in the cloud if you do not use sharing or cloud capabilities. Once you sign in, everything is stored locally (your credentials are verified in the cloud). The only way to get captured data in the cloud is to upload it explicitly through user interaction from the **Snapshots** collections, **Requests** collections, or **rules** or share it with collaborators. - - Sessions uploaded to the Fiddler Everywhere cloud space are encrypted when password protection is enabled. All uploaded sessions are stored in the cloud as [Fiddler archives]({%slug fiddler-saz-format%}). - -- Fiddler Everywhere can be installed per machine on Windows OS (macOS and Linux installation is only per user). In that case, each Fiddler user logs into the application with their credentials, and the generated data is accessible to the other users. - +- Fiddler Everywhere can be installed per machine on Windows OS (macOS and Linux installation is only per user). In that case, each Fiddler user logs into the application with their credentials, and the generated data is accessible to the other users on the same machine. - Fiddler Everywhere is [SOC 2 compliant](#soc-compliance). ## Application Analytics @@ -40,50 +32,55 @@ Fiddler Everywhere provides options for securely saving and sharing captured tra ### Saving Traffic -Once Fiddler Everywhere captures the traffic, you have the option to [save the sessions for later usage]({%slug web-sessions-list%}#saving). Consider the following security highlights before saving sessions. +Once Fiddler Everywhere captures the traffic, you have the option to [save the sessions for later usage]({%slug web-sessions-list%}#saving). Consider the following security highlights before saving sessions: - All saved sessions are stored locally on the Fiddler Everywhere host machine as SAZ files (Fiddler Sessions Archive ZIP). The absolute path is different and depends on the used OS and the unique ID of the currently logged user: - * Windows path ```curl %userprofile%\.fiddler\\Snapshots ``` - * macOS path ```curl ~/.fiddler//Snapshots ``` - * Linux path ```curl ~/.fiddler//Snapshots ``` +- Use [data sanitization]({%slug fe-sanitization%}) to automatically remove sensitive information from sessions before saving. You can configure sanitization rules in **Settings > Sanitization** to mask or strip sensitive data from URLs, headers, cookies, and request/response bodies. +- The `.fiddler` folder will continue to exist even when the Fiddler Everywhere application is uninstalled. Any previously saved sessions will be available on the host machine until explicitly removed. Explicitly removing the `.fiddler` folder removes all previously saved sessions (the SAZ files in the Snapshots GUID folders). Consider keeping them in the Fiddler cloud as a backup option before clearing the folder. +- Other users can open any unprotected SAZ file at any time by gaining access to the SAZ file. Consider using password protection for your captured traffic to add 256-bit AES encryption to the saved SAZ files and prevent unauthorized access to sensitive data. -- The `fiddler` folder will continue to exist even when the Fiddler Everywhere application is uninstalled. Any previously saved sessions will be available on the host machine until explicitly removed. Explicitly removing the `.fiddler` folder removes all previously saved sessions (the SAZ files in the Snapshots `GUID` folders). Consider keeping them in the Fiddler cloud as a backup option before clearing the folder. - -- Other users can open any unprotected SAZ file at any time by getting access to the SAZ file. Consider using password protection for your captured traffic to add 256-bit AES encryption to the saved SAZ files and prevent unauthorized access to sensitive data. - - Fiddler Everywhere provides the following options to add password protection for your sessions: + Fiddler Everywhere provides the following options to add password protection for your sessions: * Setting a password when saving the session. - * Setting a password for already saved sessions. - -- Sessions saved in the cloud will continue locally through the `.fiddler` folder until explicitly removed. Removing the SAZ files from the `./fiddler` folder will remove their presence in the Fiddler Everywhere UI. - -- The only way to recover a deleted session from the **Snapshots** tree or a deleted SAZ file from the `.fiddler` folder is to download their cloud copy. Consider using the Fiddler Everywhere clouds saving option as a backup option. - -- Sessions are stored in Fiddler Everywhere cloud space as SAZ files. Consider protecting sensitive data by adding password protection for all cloud saves, which adds 256-bit AES encryption. +- Sessions saved in the cloud will remain locally in the `.fiddler` folder until explicitly removed. Removing the SAZ files from the `.fiddler` folder will remove their presence in the Fiddler Everywhere UI. +- The only way to recover a deleted session from the **Snapshots** tree or a deleted SAZ file from the `.fiddler` folder is to download their cloud copy. Consider using the Fiddler Everywhere cloud saving option as a backup. +- Sessions are stored in the Fiddler Everywhere cloud space as SAZ files. Consider protecting sensitive data by adding password protection for all cloud saves, which adds 256-bit AES encryption. ### Sharing Traffic Fiddler Everywhere comes with [collaboration in mind]({%slug fiddler-sharing%}) and provides sharing functionalities. Consider the following security highlights when sharing sessions: -A session is saved before sharing. Thus, you should consider the [saving-related security highlights](#saving-traffic). +- A session is saved before sharing. Thus, you should consider the [saving-related security highlights](#saving-traffic). +- Enable [data sanitization]({%slug fe-sanitization%}) before sharing sessions to automatically remove sensitive information. This is especially important when sharing with external collaborators or using the Fiddler MCP server integration. +- Sharing an unprotected session can expose your sensitive data to unauthorized third parties. Always consider adding password protection to your sessions before sharing them. + +## Using the Fiddler MCP Server + +Fiddler Everywhere provides an [MCP (Model Context Protocol) server]({%slug fiddler-mcp-server%}) that enables integration with AI-powered IDEs and tools for analyzing captured HTTPS traffic. Consider the following security highlights when using the MCP server: -Sharing an unprotected session can expose your sensitive data to unauthorized third parties. Always consider adding password protection to your sessions before sharing them. +- The MCP server runs locally on your machine (default port `8868`) and provides captured traffic data to connected AI tools and IDEs. Any application with access to your API key can retrieve your captured traffic data. +- Protect your MCP server API key. This key grants access to all captured traffic data. Do not share the API key or commit it to version control systems. Regenerate the API key immediately if you suspect it has been compromised. +- By default, [data sanitization]({%slug fe-sanitization%}) is enabled for MCP output to help prevent exposure of sensitive information to AI models. Verify that **Settings > Sanitization > On MCP Output** is enabled before using the MCP server. +- Be aware that captured traffic data sent to the MCP server will be processed by AI models (such as those provided by your IDE). Review your AI provider's data handling and privacy policies to understand how your data may be used, stored, or retained. +- The MCP server provides access to all captured sessions available in Fiddler Everywhere. Consider clearing old or unnecessary sessions before enabling the MCP server to limit data exposure. +- Only enable the MCP server when actively using it. Stop the server when not in use to minimize the window of potential unauthorized access. +- When using the MCP server on shared or multi-user machines, be particularly cautious as other users may attempt to access the MCP endpoint if they discover your API key. +- Enterprise administrators can completely disable the MCP server for licensed users through the `DisableMCP` managed application policy. This policy can be applied via registry settings on Windows or device management solutions on macOS. For more information, refer to the [MCP Access Policies]({%slug fiddler-mcp-server%}#mcp-access-policies) documentation. ## SOC Compliance