From fba8b452283465dd74494a185cc1298d22cd1cb6 Mon Sep 17 00:00:00 2001
From: botre <git@bjornkrols.com>
Date: Tue, 19 May 2026 16:55:21 +0200
Subject: [PATCH 1/4] Fix endpoint-ID XSS and rate-limit IP spoofing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

P1: The endpoint page rendered {{.EndpointURL}} into an Alpine @click
expression. html/template only HTML-escapes @click (not a JS context),
so a quote supplied via %27 in the path broke out of the copy('...')
string and Alpine evaluated the rest via Function() — permitted by the
CSP's 'unsafe-eval'. The copy button now reads the URL from the DOM
(x-ref) instead, and validEndpointID() rejects any :endpoint param that
isn't haikunator-shaped (lowercase words/digits, hyphen-joined, <=64)
with a 404 across all endpoint routes.

P3: Behind Cloudflare, a client-supplied X-Forwarded-For is appended to,
not stripped, so resolveClientIP and the limiter's c.IP() key both read
an attacker-controlled value — rotating XFF defeated the rate limiter
and poisoned the stored client IP. resolveClientIP now prefers the
unforgeable CF-Connecting-IP header, and the limiter buckets on the
resolved IP via an explicit KeyGenerator.
---
 src/application.go      | 54 ++++++++++++++++++++++++++++++++++++-----
 src/views/endpoint.html |  3 ++-
 2 files changed, 50 insertions(+), 7 deletions(-)

diff --git a/src/application.go b/src/application.go
index f37ae8c..8a78ad4 100644
--- a/src/application.go
+++ b/src/application.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"regexp"
 	"strconv"
 	"sync"
 	"time"
@@ -51,6 +52,16 @@ var omittedHeaders = [...]string{
 	"X-Request-Start",
 }
 
+// endpointIDPattern bounds an endpoint ID to the shape haikunator emits
+// (lowercase words and digits joined by hyphens). Rejecting anything else
+// keeps attacker-controlled characters — quotes, angle brackets, parens —
+// out of the rendered pages, the database, and the logs.
+var endpointIDPattern = regexp.MustCompile(`^[a-z0-9]+(-[a-z0-9]+)*$`)
+
+func validEndpointID(id string) bool {
+	return len(id) <= 64 && endpointIDPattern.MatchString(id)
+}
+
 // socketRegistry tracks WS UUIDs subscribed to each endpoint, so the capture
 // hot path can fan-out without a DB round-trip.
 type socketRegistry struct {
@@ -111,10 +122,17 @@ func (r *socketRegistry) count() int {
 	return n
 }
 
-// resolveClientIP picks the most trustworthy client IP available. Behind Traefik,
-// X-Real-Ip is set to the real peer; we prefer it but verify it parses, and fall
-// back through X-Forwarded-For (leftmost) and the TCP peer.
+// resolveClientIP picks the most trustworthy client IP available. Cloudflare
+// overwrites CF-Connecting-IP on every request, so it is the only header an
+// upstream client cannot spoof — we prefer it. We then fall back through
+// X-Real-Ip, X-Forwarded-For (leftmost) and the TCP peer for non-Cloudflare
+// deployments, verifying each parses as an IP.
 func resolveClientIP(c fiber.Ctx) string {
+	if v := c.Get("Cf-Connecting-Ip"); v != "" {
+		if ip := net.ParseIP(v); ip != nil {
+			return ip.String()
+		}
+	}
 	if v := c.Get("X-Real-Ip"); v != "" {
 		if ip := net.ParseIP(v); ip != nil {
 			return ip.String()
@@ -214,6 +232,10 @@ func main() {
 	application.Use(limiter.New(limiter.Config{
 		Max:        maxRequestsPerMinute,
 		Expiration: 1 * time.Minute,
+		// Bucket on the spoof-resistant client IP (CF-Connecting-IP behind
+		// Cloudflare) rather than c.IP(), which trusts a client-supplied
+		// X-Forwarded-For and lets a caller reset its own limit.
+		KeyGenerator: func(c fiber.Ctx) string { return resolveClientIP(c) },
 	}))
 
 	application.Use(compress.New())
@@ -255,7 +277,12 @@ func main() {
 		return fiber.ErrUpgradeRequired
 	})
 
-	application.Get("/ws/:endpoint", socketio.New(func(kws *socketio.Websocket) {
+	application.Get("/ws/:endpoint", func(c fiber.Ctx) error {
+		if !validEndpointID(c.Params("endpoint")) {
+			return c.SendStatus(http.StatusNotFound)
+		}
+		return c.Next()
+	}, socketio.New(func(kws *socketio.Websocket) {
 		endpointID := kws.Params("endpoint")
 		kws.SetAttribute("endpointID", endpointID)
 		registry.add(endpointID, kws.UUID)
@@ -287,6 +314,9 @@ func main() {
 
 	application.Get("/api/endpoints/:endpoint/requests", func(c fiber.Ctx) error {
 		endpointID := c.Params("endpoint")
+		if !validEndpointID(endpointID) {
+			return c.SendStatus(http.StatusNotFound)
+		}
 		search := c.Query("search")
 		requests := database.GetRequestsForEndpointID(c.Context(), endpointID, search, 128)
 		return c.JSON(fiber.Map{
@@ -296,11 +326,17 @@ func main() {
 
 	application.Delete("/api/endpoints/:endpoint/requests", func(c fiber.Ctx) error {
 		endpointID := c.Params("endpoint")
+		if !validEndpointID(endpointID) {
+			return c.SendStatus(http.StatusNotFound)
+		}
 		database.DeleteRequestsForEndpointID(c.Context(), endpointID)
 		return c.SendStatus(http.StatusOK)
 	})
 
 	application.Delete("/api/endpoints/:endpoint/requests/:request", func(c fiber.Ctx) error {
+		if !validEndpointID(c.Params("endpoint")) {
+			return c.SendStatus(http.StatusNotFound)
+		}
 		requestUUID := c.Params("request")
 		database.DeleteRequestForUUID(c.Context(), requestUUID)
 		return c.SendStatus(http.StatusOK)
@@ -320,6 +356,9 @@ func main() {
 
 	application.Get("/:endpoint", func(c fiber.Ctx) error {
 		endpointID := c.Params("endpoint")
+		if !validEndpointID(endpointID) {
+			return c.SendStatus(http.StatusNotFound)
+		}
 		host := string(c.Request().Host())
 		scheme := c.Scheme()
 		websocketScheme := "ws"
@@ -341,9 +380,12 @@ func main() {
 	})
 
 	application.Use("/to/:endpoint", func(c fiber.Ctx) error {
-		requestUUID := uuid.NewString()
-
 		endpointID := c.Params("endpoint")
+		if !validEndpointID(endpointID) {
+			return c.SendStatus(http.StatusNotFound)
+		}
+
+		requestUUID := uuid.NewString()
 
 		ip := resolveClientIP(c)
 
diff --git a/src/views/endpoint.html b/src/views/endpoint.html
index 90ab233..b6a5242 100644
--- a/src/views/endpoint.html
+++ b/src/views/endpoint.html
@@ -16,13 +16,14 @@
       <div class="flex flex-col sm:flex-row gap-2 sm:items-center">
         <code
           data-test="endpoint-url"
+          x-ref="endpointUrl"
           class="flex-1 select-all break-all rounded bg-slate-50 border border-slate-200 px-3 py-2 text-sm font-mono text-indigo-700"
           >{{.EndpointURL}}</code
         >
         <button
           type="button"
           data-test="copy-url"
-          @click="copy('{{.EndpointURL}}')"
+          @click="copy($refs.endpointUrl.textContent)"
           class="inline-flex shrink-0 items-center justify-center gap-1.5 rounded-md border border-slate-300 bg-white px-3 py-2 text-sm font-medium text-slate-700 hover:bg-slate-50 focus:outline-none focus-visible:ring-2 focus-visible:ring-indigo-500"
         >
           <svg viewBox="0 0 24 24" class="w-4 h-4" fill="none" stroke="currentColor" stroke-width="2" aria-hidden="true">

From 9470ee934d8b5da0dc3f33fdf9fa45519c837861 Mon Sep 17 00:00:00 2001
From: botre <git@bjornkrols.com>
Date: Tue, 19 May 2026 17:13:49 +0200
Subject: [PATCH 2/4] Add PLATFORM env var for client-IP resolution and
 vendor-header stripping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

httphq runs behind different providers depending on where it's
self-hosted, each exposing the real client IP under its own header. The
PLATFORM env var lets the operator declare their provider (cloudflare,
fly, heroku, render, proxy, or direct) and httphq resolves the right
client-IP strategy from it — replacing the Cloudflare-hardcoded chain.

Declaring the platform also strips that provider's vendor headers
(e.g. Cloudflare's Cf-*) from captured requests, so users inspect their
own traffic without infrastructure noise. Cdn-Loop (RFC 8586, not
vendor specific) joins the generic omittedHeaders list.

TrustProxy is now conditional on a platform being set, so a directly
exposed deployment doesn't trust forwarded headers. An unknown PLATFORM
fails safe to direct. README documents PLATFORM, APPLICATION_ENV and
LOG_LEVEL.
---
 README.md          |  39 +++++++++++++++
 src/application.go | 122 ++++++++++++++++++++++++++++++++-------------
 2 files changed, 127 insertions(+), 34 deletions(-)

diff --git a/README.md b/README.md
index b4ef6df..a9b3cc4 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,45 @@
 
 [Scripts](docs/scripts.md)
 
+## Configuration
+
+httphq is configured entirely through environment variables.
+
+| Variable          | Default       | Description                                                                                                 |
+| ----------------- | ------------- | ----------------------------------------------------------------------------------------------------------- |
+| `APPLICATION_ENV` | `development` | Set to `production` to bind all interfaces, raise the rate limit, and default logging to `info`.            |
+| `LOG_LEVEL`       | env-dependent | Overrides the log level: `debug`, `info`, `warn`, or `error`.                                               |
+| `PLATFORM`        | `direct`      | The hosting platform in front of httphq — selects which header the real client IP is read from (see below). |
+
+### `PLATFORM`
+
+httphq derives the client IP (used for rate limiting and shown on captured
+requests) from the header your hosting platform sets. Declare your platform
+and httphq picks the right strategy:
+
+| `PLATFORM`       | Client IP source                                                        |
+| ---------------- | ----------------------------------------------------------------------- |
+| unset / `direct` | The TCP connection peer (no proxy).                                     |
+| `cloudflare`     | `CF-Connecting-IP` header.                                              |
+| `fly`            | `Fly-Client-IP` header.                                                 |
+| `heroku`         | `X-Forwarded-For` (leftmost).                                           |
+| `render`         | `X-Forwarded-For` (leftmost).                                           |
+| `proxy`          | `X-Forwarded-For` (leftmost) — generic nginx / Traefik / load balancer. |
+
+An unrecognised value falls back to `direct`.
+
+Declaring the platform also strips its vendor-specific headers (e.g.
+Cloudflare's `Cf-*`) from captured requests, so users inspect their own traffic
+without the noise of whatever provider sits in front of httphq.
+
+> **Security note.** Setting `PLATFORM` trusts that platform's client-IP
+> header unconditionally — httphq cannot tell a real platform header from one
+> a client forged. You must ensure inbound traffic cannot reach httphq
+> bypassing the platform (e.g. lock your origin to the platform's IP ranges),
+> or a client can spoof its IP and evade rate limiting. Conversely, if you run
+> behind a proxy but leave `PLATFORM` unset, every request appears to come
+> from the proxy and rate limiting becomes global.
+
 ## Logging
 
 httphq logs to stdout as structured JSON via the standard library's `log/slog` — one JSON object per line, with no log files or shipping built in, so any collector can pick the logs up. Field names follow OpenTelemetry conventions (`service.name`, `http.request.method`, `url.path`, `http.response.status_code`, ...). Every request gets a correlation `request_id` (a valid inbound `X-Request-Id` is reused, otherwise one is minted) that is echoed back on the response header and stamped onto every log line emitted while handling that request. Each request produces one access-log line; headers and bodies are never logged, paths are logged without their query string, and a denylist masks sensitive keys as a backstop. The level defaults to `info` in production (`debug` elsewhere) and is overridable with `LOG_LEVEL`; Kubernetes probe traffic to `/api/health` logs at `debug` so it stays out of production logs.
diff --git a/src/application.go b/src/application.go
index 8a78ad4..7984848 100644
--- a/src/application.go
+++ b/src/application.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"regexp"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -35,9 +36,11 @@ const (
 
 var isProduction = os.Getenv("APPLICATION_ENV") == "production"
 
-// Headers stripped from captured requests so users see their original payload,
-// not infrastructure-added headers.
+// Generic forwarding headers stripped from every captured request so users
+// see their original payload, not infrastructure-added headers. Vendor headers
+// specific to a hosting platform are stripped separately, see platformConfig.
 var omittedHeaders = [...]string{
+	"Cdn-Loop", // RFC 8586 CDN loop detection — not vendor specific
 	"Trace",
 	"Traceparent",
 	"Tracestate",
@@ -52,6 +55,63 @@ var omittedHeaders = [...]string{
 	"X-Request-Start",
 }
 
+// platformConfig describes how a hosting platform exposes request metadata:
+// which header carries the real client IP, and which vendor headers it adds
+// that should be hidden from captured requests — users inspect their own
+// traffic and shouldn't have to care which provider sits in front of httphq.
+type platformConfig struct {
+	ipHeader    string   // header with the real client IP; "" = TCP peer
+	ipList      bool     // ipHeader is a comma-separated list; take the leftmost
+	stripPrefix []string // captured-request header prefixes to drop as vendor noise
+}
+
+// platforms maps the PLATFORM env var to its config. Each platform overwrites
+// (or reliably sets) its own headers; the operator is responsible for ensuring
+// traffic cannot reach the app bypassing the platform.
+var platforms = map[string]platformConfig{
+	"direct":     {},
+	"cloudflare": {ipHeader: "Cf-Connecting-Ip", stripPrefix: []string{"Cf-"}},
+	"fly":        {ipHeader: "Fly-Client-Ip", stripPrefix: []string{"Fly-"}},
+	"heroku":     {ipHeader: "X-Forwarded-For", ipList: true},
+	"render":     {ipHeader: "X-Forwarded-For", ipList: true},
+	"proxy":      {ipHeader: "X-Forwarded-For", ipList: true},
+}
+
+// currentPlatform is the config resolved once from PLATFORM at startup.
+var currentPlatform platformConfig
+
+// resolvePlatform maps a PLATFORM value to its config. An empty value means
+// "direct"; an unrecognised value fails safe to "direct" so a typo never
+// causes a spoofable header to be trusted.
+func resolvePlatform(name string) platformConfig {
+	name = strings.ToLower(strings.TrimSpace(name))
+	if name == "" {
+		name = "direct"
+	}
+	if p, ok := platforms[name]; ok {
+		return p
+	}
+	slog.Warn("unknown PLATFORM, falling back to direct", "platform", name)
+	return platforms["direct"]
+}
+
+// omitHeader reports whether a captured-request header is infrastructure noise
+// — a generic forwarding header or a vendor header added by the configured
+// PLATFORM — and so should be hidden from the user.
+func omitHeader(name string) bool {
+	for _, h := range omittedHeaders {
+		if strings.EqualFold(name, h) {
+			return true
+		}
+	}
+	for _, prefix := range currentPlatform.stripPrefix {
+		if len(name) >= len(prefix) && strings.EqualFold(name[:len(prefix)], prefix) {
+			return true
+		}
+	}
+	return false
+}
+
 // endpointIDPattern bounds an endpoint ID to the shape haikunator emits
 // (lowercase words and digits joined by hyphens). Rejecting anything else
 // keeps attacker-controlled characters — quotes, angle brackets, parens —
@@ -122,38 +182,23 @@ func (r *socketRegistry) count() int {
 	return n
 }
 
-// resolveClientIP picks the most trustworthy client IP available. Cloudflare
-// overwrites CF-Connecting-IP on every request, so it is the only header an
-// upstream client cannot spoof — we prefer it. We then fall back through
-// X-Real-Ip, X-Forwarded-For (leftmost) and the TCP peer for non-Cloudflare
-// deployments, verifying each parses as an IP.
+// resolveClientIP returns the real client IP per the configured PLATFORM
+// strategy: it reads the platform's client-IP header (leftmost entry when the
+// header is a list) and validates it parses. With no platform configured, or
+// when the header is missing or malformed, it falls back to the TCP peer.
 func resolveClientIP(c fiber.Ctx) string {
-	if v := c.Get("Cf-Connecting-Ip"); v != "" {
-		if ip := net.ParseIP(v); ip != nil {
-			return ip.String()
-		}
-	}
-	if v := c.Get("X-Real-Ip"); v != "" {
-		if ip := net.ParseIP(v); ip != nil {
-			return ip.String()
-		}
-	}
-	if xff := c.Get(fiber.HeaderXForwardedFor); xff != "" {
-		// leftmost
-		for i := 0; i < len(xff); i++ {
-			if xff[i] == ',' {
-				if ip := net.ParseIP(trimSpace(xff[:i])); ip != nil {
-					return ip.String()
-				}
-				break
+	if currentPlatform.ipHeader != "" {
+		v := c.Get(currentPlatform.ipHeader)
+		if currentPlatform.ipList {
+			if i := strings.IndexByte(v, ','); i >= 0 {
+				v = v[:i]
 			}
 		}
-		if ip := net.ParseIP(trimSpace(xff)); ip != nil {
+		if ip := net.ParseIP(trimSpace(v)); ip != nil {
 			return ip.String()
 		}
 	}
-	peer := c.IP()
-	if ip := net.ParseIP(peer); ip != nil {
+	if ip := net.ParseIP(c.IP()); ip != nil {
 		return ip.String()
 	}
 	return ""
@@ -178,6 +223,12 @@ func main() {
 	}
 	logging.Init("httphq", env)
 
+	/* Client IP strategy */
+
+	currentPlatform = resolvePlatform(os.Getenv("PLATFORM"))
+	slog.Info("platform resolved",
+		"platform", os.Getenv("PLATFORM"), "ip_header", currentPlatform.ipHeader)
+
 	/* Database */
 
 	database.Connect("file:local.db?_journal_mode=WAL&_busy_timeout=5000&_synchronous=NORMAL")
@@ -214,10 +265,11 @@ func main() {
 		Views:       engine,
 		ViewsLayout: "layouts/main",
 		BodyLimit:   bodyLimit,
-		// Trust the upstream proxy (Traefik in cluster) so c.IP, the limiter, and
-		// header-based extraction reflect the real client. Pod CIDRs vary per
-		// cluster; restrict via env if you need a tighter list.
-		TrustProxy:  true,
+		// Trust the upstream proxy only when a PLATFORM is configured, so
+		// c.Scheme() honours X-Forwarded-Proto (correct ws/wss + EndpointURL).
+		// With no platform, the app is treated as directly exposed and
+		// c.IP()/c.Scheme() reflect the real connection.
+		TrustProxy:  currentPlatform.ipHeader != "",
 		ProxyHeader: fiber.HeaderXForwardedFor,
 	})
 
@@ -416,8 +468,10 @@ func main() {
 			headers["Content-Type"] = []string{"application/x-www-form-urlencoded"}
 			headers["User-Agent"] = []string{"curl/7.79.1"}
 		}
-		for _, omittedHeader := range omittedHeaders {
-			delete(headers, omittedHeader)
+		for k := range headers {
+			if omitHeader(k) {
+				delete(headers, k)
+			}
 		}
 
 		// Flatten []string headers to a {key: scalar-or-array} JSON; the UI

From bb8eab679a7d530c9244f62171d1666ab3e7e669 Mon Sep 17 00:00:00 2001
From: botre <git@bjornkrols.com>
Date: Tue, 19 May 2026 17:13:55 +0200
Subject: [PATCH 3/4] Format codebase with Prettier
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

No functional changes — whitespace and wrapping only.
---
 .github/workflows/release.yml     |   4 +-
 .github/workflows/test.yml        |   6 +-
 e2e/tests/endpoint-screen.spec.ts |  42 +++-----
 e2e/tests/home-screen.spec.ts     |   4 +-
 public/endpoint.js                |   7 +-
 public/index.js                   |   6 +-
 src/views/contact.html            |  23 ++++-
 src/views/endpoint.html           | 153 +++++++++++++++++++++++-------
 src/views/index.html              | 123 ++++++++++++++++++------
 src/views/layouts/main.html       |   4 +-
 src/views/partials/footer.html    |  19 +++-
 11 files changed, 277 insertions(+), 114 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9d099d4..8435483 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
-          go-version: '1.25'
+          go-version: "1.25"
           cache: false
       - run: go vet ./...
 
@@ -23,7 +23,7 @@ jobs:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
-          go-version: '1.25'
+          go-version: "1.25"
           cache: false
       - run: CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /tmp/httphq ./src
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1065f3f..d3e9349 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
-          go-version: '1.25'
+          go-version: "1.25"
           cache: false
       - run: go test ./...
   e2e:
@@ -28,11 +28,11 @@ jobs:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
-          go-version: '1.25'
+          go-version: "1.25"
           cache: false
       - uses: actions/setup-node@v6
         with:
-          node-version: '22'
+          node-version: "22"
       - name: Build server
         run: CGO_ENABLED=0 go build -o ./bin/httphq ./src
         working-directory: .
diff --git a/e2e/tests/endpoint-screen.spec.ts b/e2e/tests/endpoint-screen.spec.ts
index 006e1b3..365fb1e 100644
--- a/e2e/tests/endpoint-screen.spec.ts
+++ b/e2e/tests/endpoint-screen.spec.ts
@@ -1,8 +1,4 @@
-import {
-  test,
-  expect,
-  type APIRequestContext,
-} from "@playwright/test";
+import { test, expect, type APIRequestContext } from "@playwright/test";
 
 const randomId = () => Math.random().toString(36).slice(2, 7);
 
@@ -40,13 +36,11 @@ test.describe("Endpoint screen", () => {
 
   test("copy-url button writes the URL to the clipboard", async ({ page }) => {
     await page.locator('[data-test="copy-url"]').click();
-    const clipboard = await page.evaluate(() =>
-      navigator.clipboard.readText(),
-    );
+    const clipboard = await page.evaluate(() => navigator.clipboard.readText());
     expect(clipboard).toBe(endpointUrl);
-    await expect(
-      page.locator('[data-test="copy-url-label"]'),
-    ).toContainText("Copied!");
+    await expect(page.locator('[data-test="copy-url-label"]')).toContainText(
+      "Copied!",
+    );
   });
 
   test("disclaimer about 4-hour retention is visible", async ({ page }) => {
@@ -60,15 +54,11 @@ test.describe("Endpoint screen", () => {
       page,
     }) => {
       await page.locator('[data-test="send-toggle"]').click();
-      await page
-        .locator('[data-test="send-method"]')
-        .selectOption("PUT");
+      await page.locator('[data-test="send-method"]').selectOption("PUT");
       await page
         .locator('[data-test="send-headers"]')
         .fill("X-Source: panel\nContent-Type: application/json");
-      await page
-        .locator('[data-test="send-body"]')
-        .fill('{"hello":"panel"}');
+      await page.locator('[data-test="send-body"]').fill('{"hello":"panel"}');
       await page.locator('[data-test="send-submit"]').click();
 
       const card = page.locator('[data-test="request"]').first();
@@ -123,9 +113,9 @@ test.describe("Endpoint screen", () => {
       await expect(details).toContainText("127.0.0.1");
       await expect(details).toContainText(endpointPath);
       await expect(card).toContainText("POST");
-      await expect(
-        card.locator('[data-test="request-headers"]'),
-      ).toContainText("Content-Type");
+      await expect(card.locator('[data-test="request-headers"]')).toContainText(
+        "Content-Type",
+      );
       await expect(card.locator('[data-test="request-body"]')).toContainText(
         "Hello, World!",
       );
@@ -145,9 +135,7 @@ test.describe("Endpoint screen", () => {
       expect(text).toContain('"hello": "world"');
       expect(text).toContain("\n  ");
       // Highlight.js wraps tokens in <span class="hljs-…"> elements.
-      const tokenCount = await body
-        .locator("pre span.hljs-string")
-        .count();
+      const tokenCount = await body.locator("pre span.hljs-string").count();
       expect(tokenCount).toBeGreaterThan(0);
     });
 
@@ -254,17 +242,13 @@ test.describe("Endpoint screen", () => {
         "3 results",
       );
 
-      await page
-        .locator('[data-test="method-filter"]')
-        .selectOption("POST");
+      await page.locator('[data-test="method-filter"]').selectOption("POST");
       await expect(page.locator('[data-test="search-results"]')).toContainText(
         "1 result",
       );
       await expect(page.locator('[data-test="request"]')).toHaveCount(1);
 
-      await page
-        .locator('[data-test="method-filter"]')
-        .selectOption("");
+      await page.locator('[data-test="method-filter"]').selectOption("");
       await expect(page.locator('[data-test="search-results"]')).toContainText(
         "3 results",
       );
diff --git a/e2e/tests/home-screen.spec.ts b/e2e/tests/home-screen.spec.ts
index 891bdd2..0bd56f3 100644
--- a/e2e/tests/home-screen.spec.ts
+++ b/e2e/tests/home-screen.spec.ts
@@ -16,7 +16,9 @@ test.describe("Home screen", () => {
   });
 
   test("create endpoint button is visible", async ({ page }) => {
-    await expect(page.locator('button[data-test="create-endpoint"]')).toBeVisible();
+    await expect(
+      page.locator('button[data-test="create-endpoint"]'),
+    ).toBeVisible();
   });
 
   test("create endpoint button redirects to the endpoint screen", async ({
diff --git a/public/endpoint.js b/public/endpoint.js
index f2899b1..d9f0057 100644
--- a/public/endpoint.js
+++ b/public/endpoint.js
@@ -73,10 +73,9 @@
       },
 
       deleteRequest(uuid) {
-        return fetch(
-          `/api/endpoints/${this.endpointId}/requests/${uuid}`,
-          { method: "DELETE" },
-        )
+        return fetch(`/api/endpoints/${this.endpointId}/requests/${uuid}`, {
+          method: "DELETE",
+        })
           .then(() => {
             this.requests = this.requests.filter((r) => r.uuid !== uuid);
           })
diff --git a/public/index.js b/public/index.js
index 35fa7f1..40e39c7 100644
--- a/public/index.js
+++ b/public/index.js
@@ -47,7 +47,11 @@ window.renderBody = function (body, headers) {
   }
   // Heuristic: looks like XML/HTML if it starts with '<'
   const trimmed = body.trimStart();
-  if (trimmed.startsWith("<") && window.hljs && window.hljs.getLanguage("xml")) {
+  if (
+    trimmed.startsWith("<") &&
+    window.hljs &&
+    window.hljs.getLanguage("xml")
+  ) {
     return window.hljs.highlight(body, { language: "xml" }).value;
   }
   return window.htmlEscape(body);
diff --git a/src/views/contact.html b/src/views/contact.html
index d4579fe..20f1c84 100644
--- a/src/views/contact.html
+++ b/src/views/contact.html
@@ -3,7 +3,9 @@
 <main class="flex-1 py-8 sm:py-12">
   <div class="max-w-xl mx-auto">
     <div class="text-center mb-8 space-y-2">
-      <h1 class="text-2xl sm:text-3xl font-semibold text-slate-900">Get in touch</h1>
+      <h1 class="text-2xl sm:text-3xl font-semibold text-slate-900">
+        Get in touch
+      </h1>
       <p class="text-slate-600">
         Found a bug, have an idea, or want to say hi? We read every message.
       </p>
@@ -24,7 +26,10 @@ <h1 class="text-2xl sm:text-3xl font-semibold text-slate-900">Get in touch</h1>
       />
 
       <div>
-        <label for="name" class="block text-sm font-medium text-slate-700 mb-1.5">
+        <label
+          for="name"
+          class="block text-sm font-medium text-slate-700 mb-1.5"
+        >
           Name
         </label>
         <input
@@ -39,7 +44,10 @@ <h1 class="text-2xl sm:text-3xl font-semibold text-slate-900">Get in touch</h1>
       </div>
 
       <div>
-        <label for="email" class="block text-sm font-medium text-slate-700 mb-1.5">
+        <label
+          for="email"
+          class="block text-sm font-medium text-slate-700 mb-1.5"
+        >
           Email
         </label>
         <input
@@ -55,7 +63,10 @@ <h1 class="text-2xl sm:text-3xl font-semibold text-slate-900">Get in touch</h1>
       </div>
 
       <div>
-        <label for="message" class="block text-sm font-medium text-slate-700 mb-1.5">
+        <label
+          for="message"
+          class="block text-sm font-medium text-slate-700 mb-1.5"
+        >
           Message
         </label>
         <textarea
@@ -69,7 +80,9 @@ <h1 class="text-2xl sm:text-3xl font-semibold text-slate-900">Get in touch</h1>
         ></textarea>
       </div>
 
-      <div class="flex items-center justify-between gap-3 pt-2 border-t border-slate-100">
+      <div
+        class="flex items-center justify-between gap-3 pt-2 border-t border-slate-100"
+      >
         <p class="text-xs text-slate-500">
           We typically reply within a couple of days.
         </p>
diff --git a/src/views/endpoint.html b/src/views/endpoint.html
index b6a5242..82dbeb7 100644
--- a/src/views/endpoint.html
+++ b/src/views/endpoint.html
@@ -26,9 +26,16 @@
           @click="copy($refs.endpointUrl.textContent)"
           class="inline-flex shrink-0 items-center justify-center gap-1.5 rounded-md border border-slate-300 bg-white px-3 py-2 text-sm font-medium text-slate-700 hover:bg-slate-50 focus:outline-none focus-visible:ring-2 focus-visible:ring-indigo-500"
         >
-          <svg viewBox="0 0 24 24" class="w-4 h-4" fill="none" stroke="currentColor" stroke-width="2" aria-hidden="true">
-            <rect x="9" y="9" width="13" height="13" rx="2"/>
-            <path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"/>
+          <svg
+            viewBox="0 0 24 24"
+            class="w-4 h-4"
+            fill="none"
+            stroke="currentColor"
+            stroke-width="2"
+            aria-hidden="true"
+          >
+            <rect x="9" y="9" width="13" height="13" rx="2" />
+            <path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1" />
           </svg>
           <span x-text="copyLabel" data-test="copy-url-label">Copy</span>
         </button>
@@ -38,18 +45,34 @@
 
   <!-- Send custom request panel -->
   <section class="mb-6">
-    <details class="group rounded-lg border border-slate-200 bg-white shadow-sm">
+    <details
+      class="group rounded-lg border border-slate-200 bg-white shadow-sm"
+    >
       <summary
         data-test="send-toggle"
         class="list-none px-4 sm:px-5 py-3 flex items-center gap-2 font-medium text-slate-700 hover:bg-slate-50"
       >
-        <svg viewBox="0 0 24 24" class="w-4 h-4 shrink-0" fill="none" stroke="currentColor" stroke-width="2" aria-hidden="true">
-          <path d="M22 2L11 13"/>
-          <path d="M22 2l-7 20-4-9-9-4 20-7z"/>
+        <svg
+          viewBox="0 0 24 24"
+          class="w-4 h-4 shrink-0"
+          fill="none"
+          stroke="currentColor"
+          stroke-width="2"
+          aria-hidden="true"
+        >
+          <path d="M22 2L11 13" />
+          <path d="M22 2l-7 20-4-9-9-4 20-7z" />
         </svg>
         <span>Send a test request</span>
-        <svg viewBox="0 0 24 24" class="w-4 h-4 text-slate-400 transition group-open:rotate-180" fill="none" stroke="currentColor" stroke-width="2" aria-hidden="true">
-          <polyline points="6 9 12 15 18 9"/>
+        <svg
+          viewBox="0 0 24 24"
+          class="w-4 h-4 text-slate-400 transition group-open:rotate-180"
+          fill="none"
+          stroke="currentColor"
+          stroke-width="2"
+          aria-hidden="true"
+        >
+          <polyline points="6 9 12 15 18 9" />
         </svg>
       </summary>
 
@@ -58,7 +81,10 @@
         class="border-t border-slate-200 p-4 sm:p-5 space-y-3"
       >
         <label class="block sm:max-w-[10rem]">
-          <span class="block text-xs font-medium text-slate-500 uppercase tracking-wide mb-1">Method</span>
+          <span
+            class="block text-xs font-medium text-slate-500 uppercase tracking-wide mb-1"
+            >Method</span
+          >
           <select
             data-test="send-method"
             x-model="sendForm.method"
@@ -70,7 +96,9 @@
           </select>
         </label>
         <label class="block">
-          <span class="block text-xs font-medium text-slate-500 uppercase tracking-wide mb-1">
+          <span
+            class="block text-xs font-medium text-slate-500 uppercase tracking-wide mb-1"
+          >
             Headers (one per line, <code class="font-mono">Key: Value</code>)
           </span>
           <textarea
@@ -83,7 +111,10 @@
           ></textarea>
         </label>
         <label class="block">
-          <span class="block text-xs font-medium text-slate-500 uppercase tracking-wide mb-1">Body</span>
+          <span
+            class="block text-xs font-medium text-slate-500 uppercase tracking-wide mb-1"
+            >Body</span
+          >
           <textarea
             data-test="send-body"
             x-model="sendForm.body"
@@ -108,7 +139,9 @@
   </section>
 
   <!-- Disclaimer + delete-all -->
-  <div class="mb-4 flex items-center justify-between gap-4 text-sm text-slate-500">
+  <div
+    class="mb-4 flex items-center justify-between gap-4 text-sm text-slate-500"
+  >
     <p class="inline-flex items-center gap-2">
       <span aria-hidden="true">⚠️</span>
       <span>Requests are deleted after 4 hours</span>
@@ -119,11 +152,18 @@
       @click="$store.main.deleteRequests()"
       class="inline-flex items-center gap-1.5 rounded-md border border-rose-200 bg-rose-50 px-3 py-1.5 text-sm font-medium text-rose-700 hover:bg-rose-100 focus:outline-none focus-visible:ring-2 focus-visible:ring-rose-500"
     >
-      <svg viewBox="0 0 24 24" class="w-4 h-4" fill="none" stroke="currentColor" stroke-width="2" aria-hidden="true">
-        <polyline points="3 6 5 6 21 6"/>
-        <path d="M19 6l-2 14a2 2 0 0 1-2 2H9a2 2 0 0 1-2-2L5 6"/>
-        <path d="M10 11v6"/>
-        <path d="M14 11v6"/>
+      <svg
+        viewBox="0 0 24 24"
+        class="w-4 h-4"
+        fill="none"
+        stroke="currentColor"
+        stroke-width="2"
+        aria-hidden="true"
+      >
+        <polyline points="3 6 5 6 21 6" />
+        <path d="M19 6l-2 14a2 2 0 0 1-2 2H9a2 2 0 0 1-2-2L5 6" />
+        <path d="M10 11v6" />
+        <path d="M14 11v6" />
       </svg>
       Delete all
     </button>
@@ -165,7 +205,10 @@
         class="rounded-lg border border-dashed border-slate-300 bg-white py-12 px-4 text-center text-slate-500"
       >
         <p class="text-base">
-          Waiting for requests<span class="loading-dots" aria-hidden="true"></span>
+          Waiting for requests<span
+            class="loading-dots"
+            aria-hidden="true"
+          ></span>
         </p>
         <p class="mt-2 text-sm">
           Requests sent to your URL will appear here in real time.
@@ -174,7 +217,10 @@
     </template>
 
     <!-- Cards -->
-    <template x-for="request in $store.main.visibleRequests" :key="request.uuid">
+    <template
+      x-for="request in $store.main.visibleRequests"
+      :key="request.uuid"
+    >
       <article
         :id="`request-${request.uuid}`"
         data-test="request"
@@ -204,9 +250,16 @@
             class="inline-flex items-center gap-1 text-sm text-slate-500 hover:text-rose-600"
             aria-label="Delete this request"
           >
-            <svg viewBox="0 0 24 24" class="w-4 h-4" fill="none" stroke="currentColor" stroke-width="2" aria-hidden="true">
-              <line x1="18" y1="6" x2="6" y2="18"/>
-              <line x1="6" y1="6" x2="18" y2="18"/>
+            <svg
+              viewBox="0 0 24 24"
+              class="w-4 h-4"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+              aria-hidden="true"
+            >
+              <line x1="18" y1="6" x2="6" y2="18" />
+              <line x1="6" y1="6" x2="18" y2="18" />
             </svg>
             <span class="hidden sm:inline">Delete</span>
           </button>
@@ -215,23 +268,37 @@
         <div class="space-y-4 p-4 sm:p-5">
           <!-- Details -->
           <div data-test="request-details">
-            <div class="text-xs font-medium text-slate-500 uppercase tracking-wide mb-2">
+            <div
+              class="text-xs font-medium text-slate-500 uppercase tracking-wide mb-2"
+            >
               Details
             </div>
-            <dl class="grid grid-cols-[10rem_1fr] gap-x-3 text-sm divide-y divide-slate-100 [&>dt]:py-1.5 [&>dd]:py-1.5">
+            <dl
+              class="grid grid-cols-[10rem_1fr] gap-x-3 text-sm divide-y divide-slate-100 [&>dt]:py-1.5 [&>dd]:py-1.5"
+            >
               <dt class="text-slate-500">Time</dt>
-              <dd :title="request.createdAt.toLocaleString()" x-text="formatTimeAgo(request.createdAt)"></dd>
+              <dd
+                :title="request.createdAt.toLocaleString()"
+                x-text="formatTimeAgo(request.createdAt)"
+              ></dd>
               <dt class="text-slate-500">Client IP</dt>
               <dd class="font-mono text-xs" x-text="request.ip || '—'"></dd>
               <dt class="text-slate-500">Path</dt>
-              <dd class="font-mono text-xs break-all" x-text="request.path"></dd>
+              <dd
+                class="font-mono text-xs break-all"
+                x-text="request.path"
+              ></dd>
             </dl>
           </div>
 
           <!-- Headers -->
           <div data-test="request-headers">
             <div class="flex items-center justify-between mb-2">
-              <div class="text-xs font-medium text-slate-500 uppercase tracking-wide">Headers</div>
+              <div
+                class="text-xs font-medium text-slate-500 uppercase tracking-wide"
+              >
+                Headers
+              </div>
               <button
                 type="button"
                 data-test="copy-headers"
@@ -243,10 +310,19 @@
             </div>
             <div class="overflow-auto max-h-64">
               <dl class="grid grid-cols-[10rem_1fr] gap-x-3 text-xs">
-                <template x-for="[k, v] in Object.entries(request.headers)" :key="k">
+                <template
+                  x-for="[k, v] in Object.entries(request.headers)"
+                  :key="k"
+                >
                   <div class="contents">
-                    <dt class="py-1 text-slate-500 font-mono break-all border-t border-slate-100 first:border-t-0" x-text="k"></dt>
-                    <dd class="py-1 font-mono break-all border-t border-slate-100 first:border-t-0" x-text="Array.isArray(v) ? v.join(', ') : v"></dd>
+                    <dt
+                      class="py-1 text-slate-500 font-mono break-all border-t border-slate-100 first:border-t-0"
+                      x-text="k"
+                    ></dt>
+                    <dd
+                      class="py-1 font-mono break-all border-t border-slate-100 first:border-t-0"
+                      x-text="Array.isArray(v) ? v.join(', ') : v"
+                    ></dd>
                   </div>
                 </template>
               </dl>
@@ -256,11 +332,16 @@
 
         <!-- Query string -->
         <div data-test="query-string" class="px-4 sm:px-5 pb-3">
-          <div class="text-xs font-medium text-slate-500 uppercase tracking-wide mb-1">
+          <div
+            class="text-xs font-medium text-slate-500 uppercase tracking-wide mb-1"
+          >
             Query string
           </div>
           <template x-if="request.queryString">
-            <pre class="text-xs font-mono bg-slate-50 border border-slate-200 rounded p-3 overflow-auto" x-text="request.queryString"></pre>
+            <pre
+              class="text-xs font-mono bg-slate-50 border border-slate-200 rounded p-3 overflow-auto"
+              x-text="request.queryString"
+            ></pre>
           </template>
           <template x-if="!request.queryString">
             <p class="text-xs text-slate-400 italic">None</p>
@@ -270,7 +351,11 @@
         <!-- Body -->
         <div data-test="request-body" class="px-4 sm:px-5 pb-4 sm:pb-5">
           <div class="flex items-center justify-between mb-1">
-            <div class="text-xs font-medium text-slate-500 uppercase tracking-wide">Body</div>
+            <div
+              class="text-xs font-medium text-slate-500 uppercase tracking-wide"
+            >
+              Body
+            </div>
             <button
               type="button"
               data-test="copy-body"
diff --git a/src/views/index.html b/src/views/index.html
index 8dad3f1..e868e5d 100644
--- a/src/views/index.html
+++ b/src/views/index.html
@@ -2,7 +2,9 @@
 
 <main class="flex-1 flex flex-col items-center text-center">
   <div class="max-w-2xl mx-auto pt-10 sm:pt-16 pb-6 sm:pb-8 space-y-6">
-    <h1 class="text-3xl sm:text-5xl font-semibold tracking-tight text-slate-900">
+    <h1
+      class="text-3xl sm:text-5xl font-semibold tracking-tight text-slate-900"
+    >
       Inspect HTTP requests<br class="hidden sm:inline" />
       in real&nbsp;time
     </h1>
@@ -17,9 +19,16 @@ <h1 class="text-3xl sm:text-5xl font-semibold tracking-tight text-slate-900">
         class="inline-flex items-center justify-center gap-2 rounded-md bg-indigo-600 px-6 py-3 text-base text-white font-medium shadow-sm hover:bg-indigo-500 focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-indigo-500 transition"
       >
         Create endpoint
-        <svg viewBox="0 0 24 24" class="w-4 h-4" fill="none" stroke="currentColor" stroke-width="2" aria-hidden="true">
-          <line x1="5" y1="12" x2="19" y2="12"/>
-          <polyline points="12 5 19 12 12 19"/>
+        <svg
+          viewBox="0 0 24 24"
+          class="w-4 h-4"
+          fill="none"
+          stroke="currentColor"
+          stroke-width="2"
+          aria-hidden="true"
+        >
+          <line x1="5" y1="12" x2="19" y2="12" />
+          <polyline points="12 5 19 12 12 19" />
         </svg>
       </button>
     </form>
@@ -31,19 +40,29 @@ <h1 class="text-3xl sm:text-5xl font-semibold tracking-tight text-slate-900">
     class="w-full max-w-4xl mx-auto pt-2 pb-8 sm:pb-12 text-left"
     aria-label="Common use cases"
   >
-    <h2 class="text-center text-sm font-medium text-slate-500 uppercase tracking-wide mb-5">
+    <h2
+      class="text-center text-sm font-medium text-slate-500 uppercase tracking-wide mb-5"
+    >
       Common use cases
     </h2>
     <div class="grid grid-cols-1 sm:grid-cols-2 gap-4">
-      <article class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition">
+      <article
+        class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition"
+      >
         <div class="flex items-center gap-3 mb-2">
           <span
             class="flex items-center justify-center w-9 h-9 rounded-md bg-indigo-50 text-indigo-600"
             aria-hidden="true"
           >
-            <svg viewBox="0 0 24 24" class="w-5 h-5" fill="none" stroke="currentColor" stroke-width="2">
-              <path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/>
-              <polyline points="22 4 12 14.01 9 11.01"/>
+            <svg
+              viewBox="0 0 24 24"
+              class="w-5 h-5"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+            >
+              <path d="M22 11.08V12a10 10 0 1 1-5.93-9.14" />
+              <polyline points="22 4 12 14.01 9 11.01" />
             </svg>
           </span>
           <h3 class="font-medium text-slate-900">Test webhooks</h3>
@@ -54,16 +73,24 @@ <h3 class="font-medium text-slate-900">Test webhooks</h3>
         </p>
       </article>
 
-      <article class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition">
+      <article
+        class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition"
+      >
         <div class="flex items-center gap-3 mb-2">
           <span
             class="flex items-center justify-center w-9 h-9 rounded-md bg-indigo-50 text-indigo-600"
             aria-hidden="true"
           >
-            <svg viewBox="0 0 24 24" class="w-5 h-5" fill="none" stroke="currentColor" stroke-width="2">
-              <rect x="3" y="3" width="18" height="18" rx="2"/>
-              <line x1="3" y1="9" x2="21" y2="9"/>
-              <line x1="9" y1="21" x2="9" y2="9"/>
+            <svg
+              viewBox="0 0 24 24"
+              class="w-5 h-5"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+            >
+              <rect x="3" y="3" width="18" height="18" rx="2" />
+              <line x1="3" y1="9" x2="21" y2="9" />
+              <line x1="9" y1="21" x2="9" y2="9" />
             </svg>
           </span>
           <h3 class="font-medium text-slate-900">Inspect form payloads</h3>
@@ -74,15 +101,23 @@ <h3 class="font-medium text-slate-900">Inspect form payloads</h3>
         </p>
       </article>
 
-      <article class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition">
+      <article
+        class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition"
+      >
         <div class="flex items-center gap-3 mb-2">
           <span
             class="flex items-center justify-center w-9 h-9 rounded-md bg-indigo-50 text-indigo-600"
             aria-hidden="true"
           >
-            <svg viewBox="0 0 24 24" class="w-5 h-5" fill="none" stroke="currentColor" stroke-width="2">
-              <polyline points="16 18 22 12 16 6"/>
-              <polyline points="8 6 2 12 8 18"/>
+            <svg
+              viewBox="0 0 24 24"
+              class="w-5 h-5"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+            >
+              <polyline points="16 18 22 12 16 6" />
+              <polyline points="8 6 2 12 8 18" />
             </svg>
           </span>
           <h3 class="font-medium text-slate-900">Debug API integrations</h3>
@@ -93,15 +128,23 @@ <h3 class="font-medium text-slate-900">Debug API integrations</h3>
         </p>
       </article>
 
-      <article class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition">
+      <article
+        class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition"
+      >
         <div class="flex items-center gap-3 mb-2">
           <span
             class="flex items-center justify-center w-9 h-9 rounded-md bg-indigo-50 text-indigo-600"
             aria-hidden="true"
           >
-            <svg viewBox="0 0 24 24" class="w-5 h-5" fill="none" stroke="currentColor" stroke-width="2">
-              <rect x="5" y="2" width="14" height="20" rx="2" ry="2"/>
-              <line x1="12" y1="18" x2="12" y2="18"/>
+            <svg
+              viewBox="0 0 24 24"
+              class="w-5 h-5"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+            >
+              <rect x="5" y="2" width="14" height="20" rx="2" ry="2" />
+              <line x1="12" y1="18" x2="12" y2="18" />
             </svg>
           </span>
           <h3 class="font-medium text-slate-900">Mobile &amp; IoT traffic</h3>
@@ -112,15 +155,23 @@ <h3 class="font-medium text-slate-900">Mobile &amp; IoT traffic</h3>
         </p>
       </article>
 
-      <article class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition">
+      <article
+        class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition"
+      >
         <div class="flex items-center gap-3 mb-2">
           <span
             class="flex items-center justify-center w-9 h-9 rounded-md bg-indigo-50 text-indigo-600"
             aria-hidden="true"
           >
-            <svg viewBox="0 0 24 24" class="w-5 h-5" fill="none" stroke="currentColor" stroke-width="2">
-              <circle cx="12" cy="12" r="10"/>
-              <polyline points="12 6 12 12 16 14"/>
+            <svg
+              viewBox="0 0 24 24"
+              class="w-5 h-5"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+            >
+              <circle cx="12" cy="12" r="10" />
+              <polyline points="12 6 12 12 16 14" />
             </svg>
           </span>
           <h3 class="font-medium text-slate-900">Verify cron jobs</h3>
@@ -131,17 +182,29 @@ <h3 class="font-medium text-slate-900">Verify cron jobs</h3>
         </p>
       </article>
 
-      <article class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition">
+      <article
+        class="rounded-lg border border-slate-200 bg-white p-5 shadow-sm hover:shadow-md transition"
+      >
         <div class="flex items-center gap-3 mb-2">
           <span
             class="flex items-center justify-center w-9 h-9 rounded-md bg-indigo-50 text-indigo-600"
             aria-hidden="true"
           >
-            <svg viewBox="0 0 24 24" class="w-5 h-5" fill="none" stroke="currentColor" stroke-width="2">
-              <path d="M21 15a2 2 0 0 1-2 2H7l-4 4V5a2 2 0 0 1 2-2h14a2 2 0 0 1 2 2z"/>
+            <svg
+              viewBox="0 0 24 24"
+              class="w-5 h-5"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+            >
+              <path
+                d="M21 15a2 2 0 0 1-2 2H7l-4 4V5a2 2 0 0 1 2-2h14a2 2 0 0 1 2 2z"
+              />
             </svg>
           </span>
-          <h3 class="font-medium text-slate-900">Share captures with teammates</h3>
+          <h3 class="font-medium text-slate-900">
+            Share captures with teammates
+          </h3>
         </div>
         <p class="text-sm text-slate-600">
           Anyone with the URL can read the same stream. Handy for "is the
diff --git a/src/views/layouts/main.html b/src/views/layouts/main.html
index f41deca..793e325 100644
--- a/src/views/layouts/main.html
+++ b/src/views/layouts/main.html
@@ -46,7 +46,9 @@
       crossorigin="anonymous"
     ></script>
   </head>
-  <body class="bg-slate-50 text-slate-800 antialiased min-h-screen flex flex-col">
+  <body
+    class="bg-slate-50 text-slate-800 antialiased min-h-screen flex flex-col"
+  >
     <div class="mx-auto w-full max-w-5xl px-4 sm:px-6 flex-1 flex flex-col">
       {{embed}}
     </div>
diff --git a/src/views/partials/footer.html b/src/views/partials/footer.html
index 6664ac3..0c25cab 100644
--- a/src/views/partials/footer.html
+++ b/src/views/partials/footer.html
@@ -1,6 +1,8 @@
 <footer class="mt-auto pt-12 pb-8 text-center text-sm text-slate-500 space-y-3">
   <div>
-    <a href="/contact" class="hover:text-indigo-600 hover:underline">Send us feedback</a>
+    <a href="/contact" class="hover:text-indigo-600 hover:underline"
+      >Send us feedback</a
+    >
   </div>
   <div>
     <a
@@ -9,14 +11,23 @@
       rel="noopener"
       class="inline-flex items-center gap-1.5 hover:text-indigo-600"
     >
-      <svg viewBox="0 0 24 24" class="w-4 h-4" fill="currentColor" aria-hidden="true">
-        <path d="M12 .5C5.65.5.5 5.65.5 12c0 5.08 3.29 9.39 7.86 10.91.58.1.79-.25.79-.56v-2c-3.2.7-3.87-1.37-3.87-1.37-.52-1.32-1.27-1.67-1.27-1.67-1.04-.71.08-.7.08-.7 1.15.08 1.76 1.18 1.76 1.18 1.02 1.75 2.68 1.24 3.34.95.1-.74.4-1.24.72-1.52-2.55-.29-5.24-1.27-5.24-5.66 0-1.25.45-2.27 1.18-3.07-.12-.29-.51-1.46.11-3.04 0 0 .96-.31 3.15 1.17.91-.25 1.89-.38 2.86-.38.97 0 1.95.13 2.86.38 2.18-1.48 3.14-1.17 3.14-1.17.63 1.58.23 2.75.12 3.04.74.8 1.18 1.82 1.18 3.07 0 4.4-2.69 5.36-5.26 5.65.41.36.78 1.06.78 2.13v3.16c0 .31.21.66.8.55C20.71 21.39 24 17.08 24 12 24 5.65 18.85.5 12.5.5h-.5Z"/>
+      <svg
+        viewBox="0 0 24 24"
+        class="w-4 h-4"
+        fill="currentColor"
+        aria-hidden="true"
+      >
+        <path
+          d="M12 .5C5.65.5.5 5.65.5 12c0 5.08 3.29 9.39 7.86 10.91.58.1.79-.25.79-.56v-2c-3.2.7-3.87-1.37-3.87-1.37-.52-1.32-1.27-1.67-1.27-1.67-1.04-.71.08-.7.08-.7 1.15.08 1.76 1.18 1.76 1.18 1.02 1.75 2.68 1.24 3.34.95.1-.74.4-1.24.72-1.52-2.55-.29-5.24-1.27-5.24-5.66 0-1.25.45-2.27 1.18-3.07-.12-.29-.51-1.46.11-3.04 0 0 .96-.31 3.15 1.17.91-.25 1.89-.38 2.86-.38.97 0 1.95.13 2.86.38 2.18-1.48 3.14-1.17 3.14-1.17.63 1.58.23 2.75.12 3.04.74.8 1.18 1.82 1.18 3.07 0 4.4-2.69 5.36-5.26 5.65.41.36.78 1.06.78 2.13v3.16c0 .31.21.66.8.55C20.71 21.39 24 17.08 24 12 24 5.65 18.85.5 12.5.5h-.5Z"
+        />
       </svg>
       <span>formspark/httphq</span>
     </a>
   </div>
   <div>
     A community project by
-    <a href="https://formspark.io/" class="text-indigo-600 hover:underline">Formspark</a>
+    <a href="https://formspark.io/" class="text-indigo-600 hover:underline"
+      >Formspark</a
+    >
   </div>
 </footer>

From e7f30a2ccc212ce54c550be38e80b17e0847696c Mon Sep 17 00:00:00 2001
From: botre <git@bjornkrols.com>
Date: Tue, 19 May 2026 17:14:14 +0200
Subject: [PATCH 4/4] Drop redundant comment on Cdn-Loop omitted header

---
 src/application.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/application.go b/src/application.go
index 7984848..2b88b9a 100644
--- a/src/application.go
+++ b/src/application.go
@@ -40,7 +40,7 @@ var isProduction = os.Getenv("APPLICATION_ENV") == "production"
 // see their original payload, not infrastructure-added headers. Vendor headers
 // specific to a hosting platform are stripped separately, see platformConfig.
 var omittedHeaders = [...]string{
-	"Cdn-Loop", // RFC 8586 CDN loop detection — not vendor specific
+	"Cdn-Loop",
 	"Trace",
 	"Traceparent",
 	"Tracestate",