loading
loading
Network
A fast and multi-purpose HTTP toolkit that runs multiple probers with reliable, high-throughput results.
overview
httpx takes a list of hosts or URLs and probes each one over HTTP, returning a structured picture of what is live and what it is running. In one pass it reports status codes, page titles, response sizes, redirect chains, web server, detected technologies, and TLS data, which turns a raw list of candidates into classified, actionable targets.
On Trickest it is the workhorse between discovery and scanning. Feed it the output of subdomain enumeration or a crawler, emit JSONL with -json, and every downstream node works from live, deduplicated hosts instead of guesses. High thread counts (-threads) and rate limiting (-rate-limit) let it cover wide scopes without overwhelming a target.
Beyond liveness, httpx carries a deep matcher and filter system: keep or drop responses by status code (-match-code, -filter-code), content length, regex, favicon hash, word or line count, or response time. A single node both probes and triages, so its output is already narrowed to what the next stage should test.
use cases
Probe thousands of subdomains to find which respond, what they run, and which look interesting, before spending scanner time on them.
Run Wappalyzer-style tech detection across a host list to map frameworks, servers, and CDNs for the whole estate.
Drop dead and duplicate hosts so a vulnerability scanner only runs against URLs that actually answer.
Use status, length, regex, and favicon matchers so the node both probes and triages, narrowing output to interesting hosts.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -target | Host or hosts to probe (comma-separated). |
| list | FILE | -list | File of hosts to probe, the usual pipeline input. |
| status-code | BOOLEAN | -status-code | Display the response status code. |
| title | BOOLEAN | -title | Display the page title. |
| tech-detect | BOOLEAN | -tech-detect | Detect technologies from the Wappalyzer dataset. |
| web-server | BOOLEAN | -web-server | Display the server name from the response. |
| json | BOOLEAN | -json | Write structured JSONL output, one record per line. |
| match-code | STRING | -match-code | Keep only responses with these status codes (-mc 200,302). |
Showing key inputs. httpx exposes 114 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| x | STRING | -x | request methods to probe, use 'all' to probe all HTTP methods |
| ip | BOOLEAN | -ip | display host ip |
| asn | BOOLEAN | -asn | display host asn information |
| cdn | BOOLEAN | -cdn | display cdn in use |
| csv | BOOLEAN | -csv | store output in csv format |
| body | FILE | -body | post body to include in http request |
| deny | STRING | -deny | denied list of IP/CIDR's to process (comma separated) |
| hash | STRING | -hash | display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512) |
| jarm | BOOLEAN | -jarm | display jarm fingerprint hash |
| json | BOOLEAN | -json | store output in JSONL(ines) format |
| list | FILE | -list | input file containing list of hosts to process |
| path | STRING | -path | path or list of paths to probe (comma-separated) |
| ztls | BOOLEAN | -ztls | use ztls library with autofallback to standard one for tls13 |
| allow | STRING | -allow | allowed list of IP/CIDR's to process (comma separated) |
| cname | BOOLEAN | -cname | display host cname |
| debug | BOOLEAN | -debug | display request/response content in cli |
| delay | STRING | -delay | duration between each http request (eg: 200ms, 1s) (default -1ns) |
| http2 | BOOLEAN | -http2 | probe and display server supporting HTTP2 |
| ports | STRING | -ports | ports to probe (nmap syntax: eg http:1,2-10,11,https:80) |
| probe | BOOLEAN | -probe | display probe status |
| stats | BOOLEAN | -stats | display scan statistic |
| title | BOOLEAN | -title | display page title |
| trace | BOOLEAN | -trace | trace |
| vhost | BOOLEAN | -vhost | probe and display server supporting VHOST |
| config | FILE | -config | path to the httpx configuration file |
| header | STRING | -header | custom http headers to send with request |
| method | BOOLEAN | -method | display http request method |
| silent | BOOLEAN | -silent | silent mode |
| target | STRING | -target | input target host(s) to probe |
| unsafe | BOOLEAN | -unsafe | send raw requests skipping golang normalization |
| exclude | STRING | -exclude | exclude host matching specified filter ('cdn', 'private-ips', cidr, ip, regex) |
| favicon | BOOLEAN | -favicon | display mmh3 hash for '/favicon.ico' file |
| request | FILE | -request | file containing raw request |
| retries | STRING | -retries | number of retries |
| threads | STRING | -threads | number of threads to use (default 50) |
| timeout | STRING | -timeout | timeout in seconds (default 5) |
| verbose | BOOLEAN | -verbose | verbose mode |
| location | BOOLEAN | -location | display response redirect location |
| pipeline | BOOLEAN | -pipeline | probe and display server supporting HTTP1.1 pipeline |
| protocol | STRING | -protocol | protocol to use (unknown, http11) |
| sni-name | STRING | -sni-name | custom TLS SNI name |
| tls-grab | BOOLEAN | -tls-grab | perform TLS(SSL) data grabbing |
| csp-probe | BOOLEAN | -csp-probe | send http probes on the extracted CSP domains |
| debug-req | BOOLEAN | -debug-req | display request content in cli |
| deny-list | FILE | -deny | denied list of IP/CIDR's to process |
| match-cdn | STRING | -match-cdn | match host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, sucuri, leaseweb, akamai) |
| no-decode | BOOLEAN | -no-decode | avoid decoding body |
| omit-body | BOOLEAN | -omit-body | omit response body in output |
| path-list | FILE | -path | list of paths to probe |
| resolvers | STRING | -resolvers | list of custom resolvers (comma separated) |
| tls-probe | BOOLEAN | -tls-probe | send http probes on the extracted TLS domains (dns_name) |
| websocket | BOOLEAN | -websocket | display server using websocket |
| allow-list | FILE | -allow | allowed list of IP/CIDR's to process |
| debug-resp | BOOLEAN | -debug-resp | display response content in cli |
| filter-cdn | STRING | -filter-cdn | filter host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, sucuri, leaseweb, akamai) |
| http-proxy | STRING | -http-proxy | http proxy to use (eg http://127.0.0.1:8080) |
| line-count | BOOLEAN | -line-count | display response body line count |
| match-code | STRING | -match-code | match response with specified status code (-mc 200,302) |
| rate-limit | STRING | -rate-limit | maximum requests to send per second (default 150) |
| web-server | BOOLEAN | -web-server | display server name |
| word-count | BOOLEAN | -word-count | display response body word count |
| filter-code | STRING | -filter-code | filter response with specified status code (-fc 403,401) |
| header-file | FILE | -header-file | custom http headers to send with request |
| match-regex | STRING | -match-regex | match response with specified regex (-mr admin) |
| no-fallback | BOOLEAN | -no-fallback | display both probed protocol (HTTPS and HTTP) |
| status-code | BOOLEAN | -status-code | display response status-code |
| tech-detect | BOOLEAN | -tech-detect | display technology in use based on wappalyzer dataset |
| vhost-input | BOOLEAN | -vhost-input | get a list of vhosts as input |
| body-preview | BOOLEAN | -body-preview | display first N characters of response body (default 100) |
| content-type | BOOLEAN | -content-type | display response content-type |
| extract-fqdn | BOOLEAN | -extract-fqdn | get domain and subdomains from response body and header in jsonl/csv output |
| filter-regex | STRING | -filter-regex | filter response with specified regex (-fe admin) |
| health-check | BOOLEAN | -health-check | run diagnostic check up |
| match-length | STRING | -match-length | match response with specified content length (-ml 100,102) |
| match-string | STRING | -match-string | match response with specified string (-ms admin) |
| random-agent | BOOLEAN | -random-agent | enable Random User-Agent to use (default true) |
| respect-hsts | BOOLEAN | -respect-hsts | respect HSTS response headers for redirect requests |
| extract-regex | STRING | -extract-regex | display response content with matched regex |
| filter-length | STRING | -filter-length | filter response with specified content length (-fl 23,33) |
| filter-string | STRING | -filter-string | filter response with specified string (-fs admin) |
| include-chain | BOOLEAN | -include-chain | include redirect http chain in JSON output (-json only) |
| match-favicon | STRING | -match-favicon | match response with specified favicon hash (-mfc 1494302000) |
| max-redirects | STRING | -max-redirects | max number of redirects to follow per host (default 10) |
| probe-all-ips | BOOLEAN | -probe-all-ips | probe all the ips associated with same host |
| response-time | BOOLEAN | -response-time | display response time |
| content-length | BOOLEAN | -content-length | display response content-length |
| extract-preset | STRING | -extract-preset | display response content matched by a pre-defined regex (url,ipv4,mail) |
| filter-favicon | STRING | -filter-favicon | filter response with specified favicon hash (-mfc 1494302000) |
| max-host-error | STRING | -max-host-error | max error count per host before skipping remaining path/s (default 30) |
| resolvers-file | FILE | -resolvers | list of custom resolvers |
| stats-interval | STRING | -stats-interval | number of seconds to wait between showing a statistics update (default: 5) |
| match-condition | STRING | -match-condition | match response with dsl expression condition |
| tls-impersonate | BOOLEAN | -tls-impersonate | enable random tls client (ja3) impersonation (experimental) |
| filter-condition | STRING | -filter-condition | filter response with dsl expression condition |
| follow-redirects | BOOLEAN | -follow-redirects | follow http redirects |
| include-response | BOOLEAN | -include-response | include http request/response in JSON output (-json only) |
| match-line-count | STRING | -match-line-count | match response body with specified line count (-mlc 423,532) |
| match-word-count | STRING | -match-word-count | match response body with specified word count (-mwc 43,55) |
| filter-duplicates | BOOLEAN | -filter-duplicates | filter out near-duplicate responses (only first response is retained) |
| filter-error-page | BOOLEAN | -filter-error-page | filter response with ML based error page detection |
| filter-line-count | STRING | -filter-line-count | filter response body with specified line count (-flc 423,532) |
| filter-word-count | STRING | -filter-word-count | filter response body with specified word count (-fwc 423,532) |
| rate-limit-minute | STRING | -rate-limit-minute | maximum number of requests to send per minute |
| list-dsl-variables | BOOLEAN | -list-dsl-variables | list json output field keys name that support dsl matcher/filter |
| no-fallback-scheme | BOOLEAN | -no-fallback-scheme | probe with protocol scheme specified in input |
| csv-output-encoding | STRING | -csv-output-encoding | define output encoding |
| leave-default-ports | BOOLEAN | -leave-default-ports | leave default http/https ports in host header (eg. http://host:80 - https//host:443 |
| match-response-time | STRING | -match-response-time | match response with specified response time in seconds (-mrt '< 1') |
| filter-response-time | STRING | -filter-response-time | filter response with specified response time in seconds (-frt '> 1') |
| follow-host-redirects | BOOLEAN | -follow-host-redirects | follow redirects on the same host |
| response-size-to-read | STRING | -response-size-to-read | max response size to read in bytes (default 2147483647) |
| response-size-to-save | STRING | -response-size-to-save | max response size to save in bytes (default 2147483647) |
| include-response-base64 | BOOLEAN | -include-response-base64 | include base64 encoded http request/response in JSON output (-json only) |
| include-response-header | BOOLEAN | -include-response-header | include http response (headers) in JSON output (-json only) |
example
# probe a host list, show status, title, tech, and web server, emit JSONLhttpx -list hosts.txt -status-code -title -tech-detect -web-server -json -o results.jsonlhttps://www.example.com [200] [Example Domain] [nginx] [PHP,Bootstrap]https://api.example.com [200] [API Gateway] [openresty] [OpenResty]https://blog.example.com [301] [Redirecting…] [cloudflare] [Cloudflare]https://staging.example.com [403] [403 Forbidden] [Apache/2.4.41] [Apache HTTP Server]https://dev.example.com [200] [Grafana] [nginx] [Grafana]https://shop.example.com [200] [Store] [nginx] [Magento,PHP,jQuery]https://vpn.example.com [401] [Sign in] [nginx] [nginx]guidance
Use httpx whenever you need to know which hosts are live and what they run. It is a prober, not a crawler, so pair it with katana to find endpoints and with nuclei to test them.
Minimal liveness check. httpx returns far more signal per request.
Crawls for endpoints. Run it before httpx, not instead of it.
Tests the live hosts httpx classifies. Runs after it in the pipeline.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A host list feeds httpx, which probes each one and writes the live, classified hosts as a queryable output.
Facts on this page come from the live Trickest tool library.