Traffic Parrot 5.58.6 released, what's new?

We have just released version 5.58.6. Here is a list of the changes that came with the release:

Features

• Added near-miss diagnosis for unmatched HTTP requests with a per-field comparison table showing match/mismatch indicators, stub name headings, a "View Stub" link to edit the stub directly, and a "Show full stub JSON" toggle
• Added HTTP Request Log page with auto-refresh, expandable request details, and near-miss display for unmatched requests
• Added HTTP Passthrough Proxy mode that forwards unmatched requests to a real backend, with a blue "Proxied" badge in the request log and one-click stub creation from proxied requests
• Added FTP and SFTP drivers for file mocking, enabling record and replay of file-based integrations over remote FTP and SFTP servers alongside the existing local file system driver
• Added HAR file import support on the HTTP Import page, allowing you to import HTTP Archive files exported from browser DevTools to create stubs from captured traffic
• Added preview and filter for HAR and OpenAPI imports, with host, method, status, and URL filters plus per-entry selection and duplicate detection before importing
• Added REST API for importing mappings via curl or other HTTP clients, supporting all import formats (HAR, OpenAPI/Swagger, RAML, WireMock ZIP) including filtered import with hostFilter, methodFilter, statusFilter, and urlFilter parameters
• Added matches SWIFT field body matcher for IBM MQ, JMS, and File messaging mappings, enabling field-level matching on SWIFT MT messages by tag number and regex
• Added swiftField Handlebars helper for extracting SWIFT MT message field values in dynamic response templates
• Added header matcher types for HTTP stub creation, supporting contains, matches (regex), and doesNotMatch matchers in addition to the default equalTo
• Added HlsStreamTransformer for simulating HLS video streaming — serves dynamically generated .m3u8 playlists and .ts video segments from a single wildcard mapping, including multi-variant adaptive-bitrate (ABR) playlists with scenario-state-driven variant switching
• Added enable/disable toggle for HTTP mappings — temporarily disable a mapping without deleting it using the eye icon in the mapping list
• Added support for uploading precompiled protobuf file descriptor sets (.desc and .protoset files) via the gRPC skeleton import UI, in addition to .proto source files
• Messaging export/import (JMS, File) now includes the data/ directory in the exported ZIP, so dataSource-backed mappings (CSV lookup, Excel lookup, object store) work correctly when imported on another instance
• Added strict error handling mode for Handlebars helpers via trafficparrot.virtualservice.handlebars.throwErrors, which causes helper errors to throw exceptions (HTTP 500 or messaging failures) instead of embedding inline error strings in responses
• Added scanConsistency parameter to the Couchbase N1QL dataSource helper, allowing you to choose between REQUEST_PLUS (consistent, default) and NOT_BOUNDED (faster) query scan consistency, plus improved error handling that returns error messages instead of exceptions
• Added JMS performance monitoring to log total processing time of JMS messages, matching the existing IBM MQ performance monitoring capability
• Added namespace support to the manageState Handlebars helper using namespace/variableName syntax, allowing state isolation between different test scenarios
• Added namespace support to the State Management REST API, enabling isolated state per scenario or test case:
  • Create or update namespaced state using PUT /api/state/{namespace}/{name}
  • Get namespaced state using GET /api/state/{namespace}/{name}
  • List all state in a namespace using GET /api/state/{namespace}
  • Clear all state in a namespace using DELETE /api/state/{namespace}
  • Existing /api/state/global/{name} routes remain unchanged for backward compatibility
• Added PUT /api/configuration/files/{file} endpoint for creating new configuration files programmatically (returns 201 Created, or 409 Conflict if file already exists)
• OpenAPI import now fetches content from externalValue URLs in named examples, using the fetched response body as the mock response instead of a placeholder message
• Added HMAC response signing built-in response transformer — computes an HMAC signature of the response body and adds it as a Base64-encoded header, configured via transformerParameters.hmacSigning in the mapping JSON, supporting HmacSHA1, HmacSHA256, and HmacSHA512 algorithms for simulating webhook and API gateway authentication
• Added OpenAPI schema check that validates HTTP mappings against OpenAPI specification files at startup, preventing startup if any mapping references a URL path or method not found in the specifications — enable with trafficparrot.virtualservice.openapi.check.mapping.schema.on.startup=true
• Added configurable IBM MQ response headers (replyToQueueManagerName, replyToQueueName) in mapping JSON files with Handlebars template support, allowing dynamic control of response message routing headers
• Added trafficparrot.ibmmq.connect.options.accessQueue.input property to configure how IBM® MQ queues are opened for input (consumer) operations, mirroring the existing accessQueue.output property for producers

Fixes

• Broker configuration panels (JMS, IBM MQ, File messaging) now show empty configuration fields as blank rather than rendering the literal text "null" when no value is configured
• Added path traversal prevention to the objectStore Handlebars helper to ensure file access stays within the data directory
• Fixed OpenAPI 3.1 import to correctly handle JsonSchema types, generating proper example responses instead of failing with an error
• Fixed binary schema fields in OpenAPI imports to show a (binary) placeholder instead of corrupted text
• Improved error messages for unsupported external $ref schema references in OpenAPI imports

Changes

• Upgraded web UI framework from Bootstrap 3 to Bootstrap 5
• Upgraded from WireMock 2 to WireMock 3
• Simplified the HTTP Record page to show a single Recording URL input by default for the common case of recording one backend; click Record from multiple URLs to reveal URL pattern fields and record from multiple backends in one session
• Added trafficparrot.virtualservice.grpc.tls.enabled and trafficparrot.virtualservice.grpc.non.tls.enabled properties to allow independently enabling/disabling each gRPC server port
• New code should use the TransformedRequest.like(Request) static factory method in place of the deprecated TransformedRequest public constructor; the deprecated constructor remains available for backwards compatibility
• IBM MQ client library updated from com.ibm.mq.allclient to com.ibm.mq.jakarta.client. If upgrading, replace com.ibm.mq.allclient.jar with com.ibm.mq.jakarta.client.jar in your lib/external/ folder — see JMS and IBM MQ documentation for details. Existing javax.jms plugins continue to work without source changes; support for javax-based plugins will be removed in a future major release.

Traffic Parrot 5.57.3 released, what's new?

We have just released version 5.57.3. Here is a list of the changes that came with the release:

Features

• Added import/export UI for gRPC, Files and JMS protocols
• Added parseCsv Handlebars helper for parsing CSV data in dynamic responses
• Improved OpenAPI validation to correctly resolve $ref schema references

Fixes

• Fixed mapping name not being saved when cache is enabled
• Fixed OpenAPI validation issue with double-slash paths
• Fixed configuration files API path handling on Mac/Linux and Windows
• Library upgrades to fix OWASP issues

Changes

• Renewed sample SSL certificates

Traffic Parrot 5.56.5 released, what's new?

We have just released version 5.56.5. Here is a list of the changes that came with the release:

Features

• Added ResponseToPdf transformer for converting HTTP responses to PDF documents

Fixes

• Fixed cache invalidation issue when modifying active composite scenario
• Fixed an issue with __files not being read from the current scenario for some file types
• Fixed transformer multi-select UI behavior in mapping editor
• Mapping files are no longer unnecessarily trimmed on startup
• Prevent comment line being written for scenario property files
• Improved SDK workspace configuration to avoid missing dependency errors
• Library upgrades to fix OWASP issues

Changes

• Updated sample gRPC SSL certificates
• Upgraded gRPC from 1.67.1 to 1.75.0

How Traffic Parrot's Service Simulation Platform Accelerates ECC-2 Compliance for Saudi Organizations

Saudi Arabia's updated Essential Cybersecurity Controls (ECC-2:2024) framework presents both challenges and opportunities for organizations operating in the Kingdom. With 108 controls across four domains and new requirements for complete environment segregation, comprehensive security testing, and Saudi workforce localization, organizations need robust testing solutions that can deliver compliance without compromising development velocity.

Traffic Parrot's service simulation and API mocking platform directly addresses these challenges, enabling organizations to meet ECC-2 requirements while maintaining the agility needed for Vision 2030's digital transformation goals.

The ECC-2 Compliance Challenge

The National Cybersecurity Authority's updated framework isn't just about checking boxes. It demands:

• Complete isolation between production, test, and development environments
• Comprehensive security testing before any production deployment
• Zero exposure of production data during testing phases
• Continuous validation of security controls throughout development
• Third-party risk assessment without actual system connections

Traditional testing approaches that rely on production systems or real data simply cannot meet these requirements efficiently or safely.

Traffic Parrot's Direct Solution

Our service simulation platform transforms how organizations approach ECC-2 compliance by creating virtual representations of APIs, services, and third-party systems. This isn't just about mocking—it's about building a comprehensive testing ecosystem that satisfies regulatory requirements while accelerating development.

Real-World Application: Saudi Banking Sector

Consider a Saudi bank integrating with SAMA regulatory reporting APIs, SADAD payment services, and Absher authentication. With Traffic Parrot, they can:

• Simulate all government service APIs without production credentials
• Test security controls including OAuth flows, certificate validation, and encryption
• Validate disaster recovery procedures through controlled failure scenarios
• Train security teams on incident response without real threats
• Document everything for NCA compliance audits

Supporting Saudization Requirements

ECC-2 mandates that all cybersecurity positions be filled by qualified Saudi professionals. Traffic Parrot supports this requirement through:

• Local deployment options within Saudi data centers
• Knowledge transfer initiatives
• Simplified interfaces that accelerate skill development

Getting Started

Organizations can achieve measurable ECC-2 compliance improvements within weeks:

1. Deploy Traffic Parrot in your isolated test environment
2. Create service simulations for your critical APIs and integrations
3. Implement security test scenarios aligned with ECC-2 controls
4. Generate compliance reports for NCA requirements
5. Scale across teams as you demonstrate value

The Path Forward

As Saudi Arabia advances its Vision 2030 objectives, the intersection of innovation and security becomes increasingly critical. Traffic Parrot enables organizations to move fast without breaking things—or regulations.

The updated ECC-2 framework isn't just another compliance burden. It's an opportunity to build better, more secure systems. With Traffic Parrot's service simulation platform, you can turn regulatory requirements into competitive advantages.

#ECC2 #SaudiCybersecurity #APITesting #ServiceSimulation #NCA #Compliance #TrafficParrot

Traffic Parrot 5.55.2 released, what's new?

We have just released version 5.55.2. Here is a list of the changes that came with the release:

Features

• Added keyboard shortcut Ctrl/Cmd+F to focus search in mappings list for improved navigation
• Separated URL matcher from URL in mappings list to enable proper sorting by URL
• Improved UI responsiveness when working with large numbers of mappings

Fixes

• Refresh scenario dropdown when composite scenario first used

How to Mock APIs 10x Faster Using AI Chatbots

In our latest tutorial, we create a dynamic mock that returns different responses based on the day of the week. What typically takes 20 minutes of documentation diving, AI completes helps us complete in under 2 minutes.

Quick Tips for Success

Choose the Right Model

• Paid models (Claude Opus 4, ChatGPT 4.5) = first-try success
• Free models = expect 2-3 iterations

Write Better Prompts

• Be specific about your requirements
• Describe expected behavior clearly

Beyond Basic Mocks

• Use AI for complex troubleshooting
• Validate your debugging approach
• Discover diagnostic steps you might have missed

Get Started Today

We've built custom AI assistants specifically for Traffic Parrot users. Access them at trafficparrot.com/ai.

⚠️ Security reminder: Always remove sensitive data before sharing with AI.

Traffic Parrot 5.54.2 released, what's new?

We have just released version 5.54.2. Here is a list of the changes that came with the release:

Features

• Added Composite scenario support for HTTP virtual services, allowing you to combine mappings from multiple scenarios into a single active scenario
• Added URL rewriting support during HTTP recording via the trafficparrot.http.recording.rewrite.regex property to automatically transform URLs in response bodies
• Added RequestToPdf response transformer for generating PDF files from request bodies in test environments
• Added support for Brotli compression decoding during HTTP recording

Fixes

• Fixed a UI mapping list rendering issue seen on some browsers
• Fixed tooltip display issues in the web interface
• Library upgrades to fix OWASP issues

Changes

• Upgraded bundled JRE from 21.0.6 to 21.0.7

Traffic Parrot 5.53.1 released, what's new?

We have just released version 5.53.1. Here is a list of the changes that came with the release:

Features

• Added new properties to performance profile settings:

  trafficparrot.virtualservice.httpRequestLoggingDisabled=true
  trafficparrot.virtualservice.accessLogsEnabled=false
  trafficparrot.virtualservice.handlebars.maxCacheEntries=10000

Setting custom domain for Traffic Parrot HTTP mocks

 "I want to use an abc.local.excample.com domain instead of localhost to bypass the cors errors while recording. I used mkcert to generate the keys. Should this command work?
./start.sh trafficparrot.gui.https.port=21000 trafficparrot.virtualservice.https.port=21001 -Djavax.net.ssl.keyStore=~/pem/keystore.p12 -Djavax.net.ssl.keyStorePassword=password12345678 -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyAlias=trafficparrot" - Staff Engineer working for a US university.

The solution to this issue is described in the documentation in the section "Change the HTTPS server certificate." https://trafficparrot.com/documentation/5.51.x/user_guide.html

If you connect to Traffic Parrot via HTTPS it will return a self-signed certificate.

If you would like Traffic Parrot to use a different certificate for its HTTPS virtual service you can override the PrivateKeyEntry called trafficparrot in trafficparrot-x.y.z/certificates/trafficparrot-keystore.jks. The password to the JKS keystore is trafficparrot.

Traffic Parrot 5.53.0 released, what's new?

We have just released version 5.53.0. Here is a list of the changes that came with the release:

Features

• Added searchable dropdown to scenario selection in the UI for better usability

Fixes

• Library upgrades to fix OWASP issues

Changes

• Increased the minimum Java runtime requirement from Java 8 to Java 17. We will continue to support Java 8 for all customers that have not yet upgraded.
• Upgraded Jetty server from v9 to v12

How do I set up an OPTIONS request in Traffic Parrot?

 "UI is making an OPTIONS request but the mock doesn’t seem to be returning the right headers resulting in CORS error. I tried changing port , URL, nothing helped, only the same Allow, Server response headers were being sent back." - Staff Engineer working for a US university.

By default, trafficparrot.properties has a flag set:
trafficparrot.http.optionsResponse.enabled=true

This tells Traffic Parrot to return a default automatic OPTIONS response with the "allow" header set only, for any defined mapping.

If you set the flag to false:

trafficparrot.http.optionsResponse.enabled=false

It will allow you to define your own custom OPTIONS response instead.

Can Traffic Parrot return binary files in responses?

 "Can an HTTP response in Traffic Parrot contain a binary file?" - software developer working for an e-commerce company.

Yes.

The simplest way to create a mock in Traffic Parrot that returns a binary file in the response is to create that mock by doing a recording. That assumes you have a real service that you can record.

If you don't have a real service that returns the binary file in the response, you can create a mapping manually. To do that:

1. Create a file in trafficparrot-x.y.z/mappings directory called, for example mapping-dummy-file.json
2. The mapping-dummy-file.json should contain the following (notice the reference to body-dummy-file.pdf): 

   {
     "id" : "5d6a8f32-914c-4b67-ae15-f2c9d7b3e091",
     "name" : "mapping-dummy-file.json",
     "request" : {
       "url" : "/dummy.pdf",
       "method" : "GET"
     },
     "response" : {
       "status" : 200,
       "bodyFileName" : "body-dummy-file.pdf",
       "headers" : {
         "Content-type" : "application/pdf"
       }
     }
   }

3. Create the binary response body file body-dummy-file.pdf in trafficparrot-x.y.z/__files. You can use any PDF file just make sure the filename is specified in the mapping json file in bodyFileName attribute
4. Now if you visit http://localhost:8081/dummy.pdf then a PDF binary file will be returned. 

Traffic Parrot 5.52.0 released, what's new?

We have just released version 5.52.0. Here is a list of the changes that came with the release:

Features

• Import OpenAPI files from the openapi configuration directory on startup
• Enable in trafficparrot.properties by setting:

  trafficparrot.openapi.import.on.startup=true

Fixes

• Library upgrades to fix OWASP issues

Changes

• Upgraded bundled JRE from 8u402 to 21.0.6
• OpenAPI imports performed via the UI will override the previous import rather than duplicating mappings
• Downgraded to WireMock 2 request matchers and Handlebars response templating helpers due to performance issues with WireMock 3

How to Mock Twilio SDK Calls With Traffic Parrot

Current flow

RabbitMQ -> SpringBoot + Twilio SDK -> Twilio API

Desired flow with Traffic Parrot

RabbitMQ -> SpringBoot + Twilio SDK -> Traffic Parrot -> Twilio API

Details

• Using Twilio REST API v2010
• Endpoint: /Accounts/{account_sid}/Messages.json
• OpenAPI spec: https://raw.githubusercontent.com/twilio/twilio-oai/main/spec/json/twilio_api_v2010.json

Question

How can we intercept and mock Twilio SDK calls using Traffic Parrot since the SDK doesn't accept a configurable URL?

Answer

Setup steps:

1. Update your code to send requests to Traffic Parrot instead of real Twilio APIs, see sample code below
2. Run Traffic Parrot on port 8081
3. Configure recorder to forward requests to api.twilio.com
4. Record sample responses from Twilio
5. Switch recorder to replay mode
6. Use the mock responses in your tests

// 1. Create a custom HTTP client that redirects Twilio requests to Traffic Parrot
public class TrafficParrotHttpClient extends NetworkHttpClient {
    private static final String TWILIO_API = "https://api.twilio.com";
    private static final String TRAFFIC_PARROT = "http://localhost:8081";
    
    @Override
    public Response makeRequest(Request request) {
        // Rewrite URL to point to Traffic Parrot
        String rewrittenUrl = request.getUrl().replace(TWILIO_API, TRAFFIC_PARROT);
        
        // Create new request with rewritten URL while preserving auth and other properties
        Request rewrittenRequest = new Request(request.getMethod(), rewrittenUrl)
            .setAuth(request.getUsername(), request.getPassword())
            .setHeaders(request.getHeaders());
            
        return super.makeRequest(rewrittenRequest);
    }
}

// 2. Configure Twilio client to use custom HTTP client
TwilioRestClient client = new TwilioRestClient.Builder("YOUR_ACCOUNT_SID", "YOUR_AUTH_TOKEN")
    .httpClient(new TrafficParrotHttpClient())
    .build();

// 3. Set as default client
Twilio.setRestClient(client);

// 4. Use Twilio SDK normally - calls will be redirected to Traffic Parrot
Message message = Message.creator(
    new PhoneNumber("+1555555555"),
    new PhoneNumber("+1555555556"), 
    "Hello from Traffic Parrot!")
    .create();

Retrieving Filenames from Binary HTTP Requests in Traffic Parrot

 We got a question recently from one of our prospects.

"When a file is sent as binary data rather than form-data, is it possible to retrieve the filename in a response in Traffic Parrot?" - Software Developer working for a French company

If you also have this issue, please send the trafficparrot.log to support@trafficparrot.com so we can see how your file is being sent to Traffic Parrot in the HTTP request.

There are many ways a filename could be included in a HTTP request, and it is hard to guess which one your company uses.

For example, here is one way you could extract it from a header for a binary request:

{{ regex request.headers.Content-Disposition 'filename=\"([^\"]+)\"' 'g' }}

Here is how you could test it:

curl -X POST http://localhost:8081/hello -H "Content-Type: application/octet-stream" -H "Content-Disposition: attachment; filename=\"helloworld.png\"" --data-binary @helloworld.png -v

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:8081...
* Connected to localhost (127.0.0.1) port 8081 (#0)
> POST /hello HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Type: application/octet-stream
> Content-Disposition: attachment; filename="helloworld.png"
> Content-Length: 70509
>
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Matched-Stub-Id: 8c4695d4-f94e-4ba8-9793-ee5dcbfba6b5
< Matched-Stub-Name: hello-8c4695d4-f94e-4ba8-9793-ee5dcbfba6b5.json
< Vary: Accept-Encoding, User-Agent
< Content-Length: 41
< Server: Jetty(9.4.56.v20240826)
<

Request contains a file: helloworld.png