diff --git a/core/gateway/internal/mitm/mitm.go b/core/gateway/internal/mitm/mitm.go
index 89d46d4..8a97553 100644
--- a/core/gateway/internal/mitm/mitm.go
+++ b/core/gateway/internal/mitm/mitm.go
@@ -10,6 +10,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"os"
 	"strings"
 	"sync"
 )
@@ -136,13 +137,22 @@ func (h *Handler) Handle(clientConn net.Conn, initialData []byte, serverName str
 // forwardRequest sends the request to the real server over TLS.
 func (h *Handler) forwardRequest(req *http.Request, serverName string) (*http.Response, error) {
 	// Set the host header and request URI
-	req.URL.Scheme = "https"
 	req.URL.Host = serverName
 	req.RequestURI = "" // must be empty for client requests
 
+	insecure := os.Getenv("GATEWAY_INSECURE_UPSTREAM") == "true"
+
+	if insecure {
+		// In test mode, forward as HTTP to allow plain-HTTP echo servers.
+		req.URL.Scheme = "http"
+	} else {
+		req.URL.Scheme = "https"
+	}
+
 	transport := &http.Transport{
 		TLSClientConfig: &tls.Config{
-			ServerName: serverName,
+			ServerName:         serverName,
+			InsecureSkipVerify: insecure, //nolint:gosec // test-only
 		},
 		// Disable compression so we can stream the raw response bytes
 		DisableCompression: true,
diff --git a/tests/integration/sandbox/compose-override.yml b/tests/integration/sandbox/compose-override.yml
new file mode 100644
index 0000000..aba5928
--- /dev/null
+++ b/tests/integration/sandbox/compose-override.yml
@@ -0,0 +1,19 @@
+# Override for integration test: adds a local httpbin echo server
+# to eliminate dependency on external httpbin.org.
+# Merged with generated .build/docker-compose.yml via -f flag.
+services:
+  echo-httpbin:
+    image: mccutchen/go-httpbin:v2.16.0
+    command: ["/bin/go-httpbin", "-port", "80"]
+    networks:
+      sandbox:
+        aliases:
+          - httpbin.org
+
+  # Override gateway to forward upstream as HTTP (echo server is plain HTTP)
+  sandbox-test-gateway:
+    environment:
+      - GATEWAY_INSECURE_UPSTREAM=true
+    depends_on:
+      echo-httpbin:
+        condition: service_started
diff --git a/tests/integration/sandbox/run.sh b/tests/integration/sandbox/run.sh
index 79403f3..0d46322 100755
--- a/tests/integration/sandbox/run.sh
+++ b/tests/integration/sandbox/run.sh
@@ -9,7 +9,7 @@ CLI="${CLI_PATH:-agent-sandbox}"
 
 cleanup() {
   echo "--- Cleaning up ---"
-  "$CLI" -C "$SCRIPT_DIR" compose down -v 2>/dev/null || true
+  "$CLI" -C "$SCRIPT_DIR" compose -f "$SCRIPT_DIR/compose-override.yml" down -v 2>/dev/null || true
 }
 trap cleanup EXIT
 
@@ -23,7 +23,7 @@ echo ""
 echo "--- Building and starting containers ---"
 # Export test secrets so compose picks them up
 export $(grep -v '^#' "$SCRIPT_DIR/test.env" | xargs)
-"$CLI" -C "$SCRIPT_DIR" compose up -d --build --wait --wait-timeout 60
+"$CLI" -C "$SCRIPT_DIR" compose -f "$SCRIPT_DIR/compose-override.yml" up -d --build --wait --wait-timeout 60
 
 # Wait for agent entrypoint to complete
 sleep 3