Traffic Parrot 5.60.3 released, what's new?

We have just released version 5.60.3. Here is a list of the changes that came with the release:

Features

• The HTTP Add/Edit mapping form now lets you edit a file-backed response (one served from a bodyFileName file) directly in the editor: a Response from file note above the response body field shows the file name, the body field is editable in place, and saving writes the edited content back to the body file in the __files directory through the mapping repository (so the in-memory cache stays in sync). When the same body file is shared by other mappings a warning is shown, because saving changes the response for all of them. You can flip a response between inline and file-backed in both directions — Switch to inline detaches the file and stores the body on the mapping, and Switch to file externalises an inline body to a new file under responses/ on save. Binary body files stay read-only and are edited on disk. Previously a file-backed response appeared as an empty body field with no indication it was served from a file.
• The same file-backed response handling is now available on the gRPC Add/Edit mapping form: when a gRPC mapping's response is served from a response.bodyFileName file, a Response from file note shows the file name, the body field is editable in place and pre-filled from the __files directory, and saving writes the edited content back to the body file through the mapping repository. A warning is shown when the file is shared by other mappings, and you can flip a response between inline and file-backed in both directions (Switch to inline / Switch to file). Binary body files stay read-only.
• Added support for externalising a request body matcher into a file in the __files directory via bodyFileName, mirroring the response-side bodyFileName convention. Any of the request body matchers (equalTo, equalToJson, equalToXml, binaryEqualTo, contains, doesNotContain, matches, doesNotMatch, matchesJsonPath, matchesXPath, matchesXml) can load the value it compares against from a file instead of inlining it in the mapping, resolved relative to the mapping's sibling __files directory and loaded once at mapping-load time. A file-backed matcher is shown in the HTTP Add/Edit mappings GUI with a Content from file note, and the mappings-list Request body column renders the matcher content inlined from the file. The externalised form is also accepted through the WireMock admin API (POST /__admin/mappings, PUT /__admin/mappings/{id} and POST /__admin/mappings/import): the file is resolved when the mapping is registered, a reference to a missing file is rejected at registration with HTTP 422 naming the file, combining bodyFileName with any other key in the same matcher entry is rejected, and mappings saved to disk keep the bodyFileName reference instead of the file's contents.
• Added a Static Files browser under the HTTP menu that lists the active scenario's __files directory, marks each file as referenced or orphaned by cross-referencing the HTTP mappings, and previews a selected file's content (JSON and XML are pretty-printed; image files are rendered inline and other binary files show their content type and size). The browser also lets you:
  • Create a new text file under the __files directory directly from the admin UI: a New file affordance prompts for a relative file name and content and adds the file to the browser, where it appears with an orphaned badge until a mapping references it.
  • Edit a text file in place: selecting a non-binary file and clicking Edit replaces the preview with an editable text area and Save/Cancel buttons, and saving overwrites the file's content in the __files directory. When the file is referenced by one or more mappings (through response.bodyFileName) a warning is shown, because saving changes the response for all of them. Binary files remain read-only and are edited on disk.
  • Delete a file: each row has a Delete button that reveals an inline Confirm/Cancel step (no browser pop-up), and confirming the deletion of an unreferenced file removes it from disk and the row disappears. The delete is reference-safe — if the file still backs a mapping the deletion is refused, a banner lists the referencing mapping(s) and the file stays listed. The reference check is complete: it covers both a file used as an HTTP response body (response.bodyFileName) and a file used as a request body matcher, so a file that the browser's orphaned badge reports as unreferenced (the badge inspects only response references) can still be blocked from deletion when it is genuinely in use, protecting you from silently breaking a request matcher. Overriding the refusal is not currently supported; to delete a referenced file, first remove or repoint the mapping(s) that use it.
  • Rename a file within the __files directory: each row has a Rename button that reveals an inline editable target-name field with Confirm/Cancel (no browser pop-up). Renaming an unreferenced file moves it to the new name, creating any intermediate sub-directories the new name implies. Like delete, the rename is reference-safe — if the file still backs a mapping the rename is refused, a banner lists the referencing mapping(s) and the file keeps its old name, because renaming would leave the mapping pointing at a name that no longer exists. The reference check is complete in the same way: it covers both a file used as an HTTP response body (response.bodyFileName) and a file used as a request body matcher, so a file that the orphaned badge reports as unreferenced (the badge inspects only response references) can still be blocked from renaming when it is genuinely in use. Renaming onto a name that already exists is refused as well, so you never silently overwrite another file. To rename a referenced file, first remove or repoint the mapping(s) that use it; automatically updating the referencing mappings to the new name is not currently supported.
  • Upload an existing file into the __files directory straight from your browser: an Upload button next to New file opens a file picker, and the chosen file is uploaded and added to the browser. Both text and binary files are accepted — the bytes are stored verbatim, so an uploaded image is listed and rendered inline in the preview pane, and any other uploaded binary file is listed and shown with its content type and size. Uploading a file whose name already exists is refused so you never silently overwrite another file, and unsafe file names (for example an absolute path or one containing .. that would escape the scenario's __files directory) are rejected. The upload has a configurable size limit, set by the new trafficparrot.multipart.upload.max.size.mb property (default 10 MB, shared by all admin-UI file uploads); a file larger than the limit is rejected with HTTP 413 and the message File exceeds the maximum upload size of N MB shown in the upload form. The limit applies only to file uploads through the admin UI and does not affect recorded traffic or mapping sizes.
  • Resize the panes with a draggable divider between the file list and the preview, so you can widen either side to suit the file you are reading. Drag the divider to set the split (it stays between 20% and 80% so neither pane collapses), and double-click it to snap back to the default split. The split you choose is remembered in your browser across page reloads. On narrow screens the panes stack vertically as before.
  • Browse files as a directory tree: files in sub-directories of __files are now grouped under expandable folder rows instead of being listed by full relative path. Each folder shows a caret you can click to collapse or expand its contents (all folders are expanded by default), and each file is labelled by its own name and indented under its folder. Selecting a file previews it, and the referenced/orphaned badges and rename, delete, edit and upload actions all work exactly as before.
  • Preview images and other binary files: selecting an image file (PNG, JPEG, GIF, SVG, WebP, BMP, ICO, APNG or AVIF) now renders the image inline in the preview pane instead of the bare not previewable note, so you can see at a glance which image a mapping serves. Selecting any other binary file shows a Binary file — <content type>, <size> note (for example Binary file — application/octet-stream, 2.3 KB) instead, so you can tell its type and size without downloading it. Text, JSON and XML files are still pretty-printed and editable in place as before; images and other binary files remain read-only and are edited on disk. Image and binary files are served back for the preview with a nosniff content-type guard and as an attachment, so a file whose bytes happen to contain active content (such as a script-bearing SVG) can never run in your browser from the preview.
• Added a Logging documentation page covering how to enable verbose logging, change the log level, find the log files (logs/trafficparrot.log), turn logging down or off, and use the Request Log near-miss view to see why an HTTP request did not match.
• The HTTP mappings list now shows a Recording active banner above the table while a recording session is running, as a reminder that deleting a mapping while recording also stops that endpoint being re-recorded for the rest of the session.
• The HTTP Record page now shows a Live coverage panel while a recording session is active, refreshing about once a second. It gives a running tally of the distinct endpoints seen so far — how many now have a mapping, how many were observed but are still unmapped, and how many mappings have not been observed — plus the per-endpoint observed and unmatched request counts, so you can tell during the session whether a recording has captured everything you expected. Endpoints are grouped by HTTP method and normalised path using the same convention as Mapping cleanup, and the panel notes how many requests in the request journal the tally is based on.
• Added a Verifying requests guide for WireMock users, mapping the verify() DSL onto Traffic Parrot's request journal: assert a request was made, was made exactly N times, or was NOT made via POST /api/http/requests/count, inspect captured bodies via POST /api/http/requests/find, list unmatched requests and near misses, and reset the journal — with a WireMock-to-Traffic-Parrot translation table and copy-paste curl recipes.
• The Application logs view (HTTP menu → Logs → Application logs) now offers a structured view of the server log in addition to the existing raw text view. The raw view remains the default; clicking Structured view parses each entry into its timestamp, level, thread and message, with a coloured band and a level badge (the level text is always shown, not signalled by colour alone, so the view stays readable in greyscale and for colour-blind users). Multi-line stack traces fold into a single collapsible entry (with Expand all / Collapse all), you can filter entries by level and by free text, and any line that does not match the log pattern is shown in full rather than hidden. The existing search, last-10,000-lines truncation and Download raw affordances are unchanged.
• Added an Available helpers panel at form level — below both the request and response cards — on the HTTP and messaging (JMS, IBM MQ and file-message) Add/Edit mapping forms, so you can discover what Traffic Parrot offers without leaving the product. The collapsible, read-only panel is a sectioned shell with three catalogues: a Response templating helpers section listing the helpers grouped by category; a Request matchers section listing the available request matchers; and an Other functionality section covering Scenarios & state, Response delays, Fault simulation, response proxying, serving a response from a file, webhook callbacks and request-matching scripts. Each entry has a one-line description, a copy-ready snippet (already scaffolded with example parameters) and a docs link, with a filter box that narrows every section as you type (matching name and description) and a per-entry Copy button. It is discovery-only and does not change how mappings are saved or how responses are rendered.
• The HTTP Add/Edit mapping form now lets you author the advanced response delay and fault shapes that were previously only configurable in mapping JSON: a log-normal random delay (median, sigma and an optional maximum, to model realistic response-time spread), a chunked dribble delay (split the response body into a number of chunks sent over a total duration, to simulate a slow trickle), and the CONNECTION_RESET_BY_PEER response fault. Because the editor now understands these shapes, opening and saving a WireMock-format JSON mapping in the GUI no longer silently strips them — previously a form open-save dropped a log-normal delayDistribution, a chunkedDribbleDelay or a CONNECTION_RESET_BY_PEER fault, so this also fixes that data loss.
• Added a matches GraphQL request body matcher for stubbing a POST /graphql endpoint, where many operations share one URL. Its full-query form matches the request's query semantically — tolerant of insignificant whitespace, selection-set field order, and argument order, so differently formatted but equivalent queries select the same response (aliases and directives stay significant). Its object form matches on operationName alone to disambiguate operations on one URL, with an optional variables object to also assert on the request's variables. Select matches GraphQL in the Request body matcher dropdown on the HTTP Add/Edit mapping form to author the full-query form; the operation-name form is authored by importing mapping JSON. A request that is not valid GraphQL simply does not match (it is never an error), and a mapping whose own GraphQL query is invalid is rejected at save/import time.
• Added a trafficparrot validate command that checks your mappings against their bound schemas without starting the server, for use as a continuous integration step. For HTTP it reports both schema drift (a mapping whose URL path and method are not declared in any OpenAPI specification in openapi/) and under-coverage (an operation declared in a specification that no mapping covers), so a partially-mocked API cannot silently drift from its contract; gRPC mappings are validated against their proto schema. It prints a labelled report and exits 0 (no drift), 1 (drift detected) or 2 (usage or configuration error, including a files-root with no mappings). Operations you deliberately do not mock can be excluded with an exclude.operations list in an openapi-coverage.properties file in the files-root; an allowlist entry that matches no operation in the specification is itself reported as drift so the list cannot quietly go stale.
• Added an external-process HTTP response transformer that passes the response through a user-supplied executable (the "middleware") written in any language — familiar to Hoverfly users. For each matched request on an opted-in mapping, Traffic Parrot serialises a versioned JSON envelope (the matched request plus the response about to be sent) to the executable's stdin and applies the mutated response read back from stdout (status, headers, body); request mutation is not supported in this release. The feature is off by default (trafficparrot.http.externalprocess.enabled) and confined to a single operator-vetted directory (trafficparrot.http.externalprocess.allowedDir) — the executable runs as the Traffic Parrot OS user with no sandbox, so enable it only on trusted hosts. Each mapping configures the executable, optional args, a per-invocation timeoutMs (default 5000, the process is killed on expiry), and an onError fallback (fail-open returns the original response, fail-closed returns HTTP 500) applied on non-zero exit, timeout, malformed output, or a missing/disallowed executable.
• The external-process transformer can now be enabled and configured directly in the HTTP mapping editor, instead of only by hand-editing the mapping JSON. When an operator has set trafficparrot.http.externalprocess.enabled=true, an ExternalProcessTransformer toggle appears in the Response transformers list under Advanced parameters; turning it on reveals an External Process tab in the Transformer parameters panel with structured fields for the executable, args (space or newline separated), timeoutMs, and onError (fail-open/fail-closed). The option is offered only when the feature is enabled, and selecting it does not bypass the trafficparrot.http.externalprocess.allowedDir allow-list that still gates which executables may run. Saving writes the same transformerParameters.external-process JSON the editor, the mapping file on disk, and the WireMock Admin API all share. See Configuring it in the editor GUI.

Documentation

• Added an Environment variables in responses how-to page covering the {{systemValue}} Handlebars helper: reading an environment variable (type='ENVIRONMENT') or a JVM system property (type='PROPERTY') into a response body or header, the default= fallback, the wiremock* allow-list and the [ERROR: Access to … is denied] failure mode, and the underscore-vs-dot naming rule for environment variables.
• Added a CORS for stub responses how-to answering the common WireMock “CORS not working” question. It documents that the Traffic Parrot virtual service is CORS-friendly out of the box for every path — the browser CORS preflight (OPTIONS) is auto-answered HTTP 200 with Access-Control-Allow-Methods, Access-Control-Allow-Headers and Access-Control-Max-Age, and the request Origin is reflected into Access-Control-Allow-Origin on the actual response — with no flag and no per-stub configuration (unlike WireMock's off-by-default --enable-stub-cors). It also shows how to pin a specific origin by setting Access-Control-Allow-Origin in a stub's response.headers, and clarifies that this CORS behaviour is independent of the trafficparrot.http.optionsResponse.enabled property (which emits only an Allow header).
• Expanded the JVM arguments section of the User Guide with a full reference for the jvm.args file: where it lives in the install directory, how each non-empty line is passed to the server JVM at startup, a table describing every shipped default (including -Xmx128m, the line to raise for large recordings or datasets), and typical adjustments.

Fixes

• The Duplicate and Delete buttons in the gRPC mappings list work again — a regression had stopped them working, so a gRPC mapping could not be duplicated or deleted from the admin UI. Both actions now behave as they do for HTTP mappings.
• A stub configured with the INCORRECT_SMALL_CONTENT_LENGTH response fault now injects the fault correctly — it serves the stubbed status with a too-small Content-Length header and a body truncated to that length — instead of returning an HTTP 500 error.
• File-message mappings now honour the priority field when resolving match precedence. Previously, when two file-message mappings both matched an inbound message, priority was ignored and the mapping loaded first always won; HTTP, JMS and IBM MQ mappings already honoured priority correctly.
• Library upgrades to fix OWASP issues.

Changes

• When the external-process transformer is enabled, Traffic Parrot now validates the trafficparrot.http.externalprocess.allowedDir directory once at startup and logs a warning if it is empty, does not exist, is not a directory, or is non-canonical, so a misconfigured allow-list is surfaced at startup rather than at the first matched request. The check is warn-only — the server still starts.
• The Import skeleton… upload on the HTTP and gRPC Add/Edit mapping pages (importing an OpenAPI/Swagger HTTP skeleton or a proto/descriptor-set gRPC message skeleton) now has a configurable size limit, set by the trafficparrot.multipart.upload.max.size.mb property (default 10 MB) — the same property that caps the Static Files browser upload. A file larger than the limit is rejected with HTTP 413 and the message The uploaded file exceeds the maximum upload size of N MB shown in the import error area, instead of being buffered unbounded. Previously these imports had no size limit.
• The HTTP Import mappings REST endpoint (/http/management/importMappings) now enforces the same trafficparrot.multipart.upload.max.size.mb cap (HTTP 413 on an oversize upload) as the skeleton-import and Static Files uploads. Previously this endpoint had no size limit.
• Upgraded bundled JRE from 21.0.7 to 21.0.11

Traffic Parrot 5.59.2 released, what's new?

We have just released version 5.59.2. Here is a list of the changes that came with the release:

Features

• Added matches FIX field body matcher for IBM MQ, JMS, and File messaging mappings, enabling tag-level matching on FIX protocol messages by tag number and regex (version-agnostic across FIX 4.2, 4.4, 5.0, and FIXT)
• Added {{fixField}} Handlebars helper for extracting FIX protocol message field values in dynamic response templates by tag number
• Added {{#fixWithChecksum}} block helper with inline {{fixBodyLength}} and {{fixCheckSum}} placeholders that auto-compute FIX 4.x tag 9 (BodyLength) and tag 10 (CheckSum) for FIX response templates, removing the need to hand-calculate these values
• Added {{image}} Handlebars helper for generating placeholder PNG images (grey rectangle with dimensions overlay) directly from a mapping body, with configurable width, height, and overlay text arguments — JDK-only, no external dependencies, deterministic within a single JVM
• Added base64-decode-body built-in response transformer that Base64-decodes the rendered response body and serves it as raw bytes, enabling binary responses (PNG, PDF, ZIP, etc.) from JSON mappings when paired with helpers such as {{image}}
• Added a Transformer parameters editor under Advanced parameters on the HTTP Add/Edit mapping form, so the response.transformerParameters JSON block (used by HmacSigningTransformer and other parameter-driven response transformers) can be authored and edited in the GUI instead of only in the mapping JSON file. The editor auto-formats the JSON on blur (2-space indent) and validates on save (invalid JSON prevents submit with an inline error). Existing mappings round-trip semantically through the form (whitespace is normalised; field order is preserved). See Editing transformer parameters in the GUI for details.
• Added a Query parameters section to the HTTP Add/Edit mapping panel, with per-parameter rows that support equal to, contains, matches regex, and absent matchers (see Request query parameter matchers). Saving produces standard WireMock queryParameters JSON; loading an existing mapping with a queryParameters block populates the rows on the form. This replaces the previous workarounds of putting the full query string in urlEqualTo or hand-writing a lookahead regex in urlMatching — both of which continue to work for existing mappings.
• Added a Convert query string to rows link under the Request URL field on the HTTP Add/Edit mapping panel. Clicking it parses name=value pairs out of a pasted URL's query string, appends one equal to row per pair to the Query parameters section, and strips the query string from the URL field. URL-encoded values (e.g. %20) are decoded automatically. The conversion is staged client-side — you still need to click Save to commit the changes.
• JSON and XML request and response bodies are now pretty-printed in the expanded detail of the Request Log. Each body block is collapsible and has a Copy button that copies the original, unformatted body. Bodies that are truncated (over 10 KB), malformed, or not JSON/XML continue to be shown raw. The same formatting applies to the gRPC requests page and the JMS, IBM MQ, and file messaging requests pages.
• Added support for supplying the license through the TRAFFICPARROT_LICENSE environment variable (base64-encoded), so it can be injected at runtime from a Kubernetes Secret, Docker secret, or secrets manager instead of being baked into a Docker image. The system property -Dtrafficparrot.license.content takes precedence over the environment variable, which takes precedence over the classpath trafficparrot.license file; if neither is set, the classpath file is read as before (no change for existing installations). A set-but-invalid value fails fast with a clear error rather than silently falling back to the file.
• The HTTP Add/Edit mapping form now shows a Response from file note above the response body field when a mapping's response is served from a bodyFileName file, making it clear that the body is loaded from the __files directory rather than typed inline.

Changes

• Removed the unused SOAP message signer dropdown from the HTTP Add/Edit mapping form's Advanced parameters section. SOAP message signing continues to work via the SoapMessageSigner entry in the trafficparrot.http.responsetransformers startup property (see Properties) and the per-mapping Response transformers multiselect.
• The tooltip shown when hovering over the URL Matcher or URL cell in the HTTP mappings list now shows the complete request match for that mapping — the HTTP method, the URL matcher type, the full untruncated URL or pattern, and each query parameter matcher (previously not visible anywhere in the list).
• The tooltip shown when hovering over the gRPC method cell in the gRPC mappings list now shows the complete request match for that mapping — the gRPC method, the request message matcher, and each request metadata matcher (previously not visible anywhere in the list).
• Deleting an HTTP mapping while recording now suppresses re-recording of that endpoint (matched by method and normalised URL path) for the rest of the current recording session, instead of immediately re-creating it the next time the same request is proxied. The suppression is session-scoped — it is cleared when recording stops and at the start of each new recording session.

Traffic Parrot 5.58.6 released, what's new?

We have just released version 5.58.6. Here is a list of the changes that came with the release:

Features

• Added near-miss diagnosis for unmatched HTTP requests with a per-field comparison table showing match/mismatch indicators, stub name headings, a "View Stub" link to edit the stub directly, and a "Show full stub JSON" toggle
• Added HTTP Request Log page with auto-refresh, expandable request details, and near-miss display for unmatched requests
• Added HTTP Passthrough Proxy mode that forwards unmatched requests to a real backend, with a blue "Proxied" badge in the request log and one-click stub creation from proxied requests
• Added FTP and SFTP drivers for file mocking, enabling record and replay of file-based integrations over remote FTP and SFTP servers alongside the existing local file system driver
• Added HAR file import support on the HTTP Import page, allowing you to import HTTP Archive files exported from browser DevTools to create stubs from captured traffic
• Added preview and filter for HAR and OpenAPI imports, with host, method, status, and URL filters plus per-entry selection and duplicate detection before importing
• Added REST API for importing mappings via curl or other HTTP clients, supporting all import formats (HAR, OpenAPI/Swagger, RAML, WireMock ZIP) including filtered import with hostFilter, methodFilter, statusFilter, and urlFilter parameters
• Added matches SWIFT field body matcher for IBM MQ, JMS, and File messaging mappings, enabling field-level matching on SWIFT MT messages by tag number and regex
• Added swiftField Handlebars helper for extracting SWIFT MT message field values in dynamic response templates
• Added header matcher types for HTTP stub creation, supporting contains, matches (regex), and doesNotMatch matchers in addition to the default equalTo
• Added HlsStreamTransformer for simulating HLS video streaming — serves dynamically generated .m3u8 playlists and .ts video segments from a single wildcard mapping, including multi-variant adaptive-bitrate (ABR) playlists with scenario-state-driven variant switching
• Added enable/disable toggle for HTTP mappings — temporarily disable a mapping without deleting it using the eye icon in the mapping list
• Added support for uploading precompiled protobuf file descriptor sets (.desc and .protoset files) via the gRPC skeleton import UI, in addition to .proto source files
• Messaging export/import (JMS, File) now includes the data/ directory in the exported ZIP, so dataSource-backed mappings (CSV lookup, Excel lookup, object store) work correctly when imported on another instance
• Added strict error handling mode for Handlebars helpers via trafficparrot.virtualservice.handlebars.throwErrors, which causes helper errors to throw exceptions (HTTP 500 or messaging failures) instead of embedding inline error strings in responses
• Added scanConsistency parameter to the Couchbase N1QL dataSource helper, allowing you to choose between REQUEST_PLUS (consistent, default) and NOT_BOUNDED (faster) query scan consistency, plus improved error handling that returns error messages instead of exceptions
• Added JMS performance monitoring to log total processing time of JMS messages, matching the existing IBM MQ performance monitoring capability
• Added namespace support to the manageState Handlebars helper using namespace/variableName syntax, allowing state isolation between different test scenarios
• Added namespace support to the State Management REST API, enabling isolated state per scenario or test case:
  • Create or update namespaced state using PUT /api/state/{namespace}/{name}
  • Get namespaced state using GET /api/state/{namespace}/{name}
  • List all state in a namespace using GET /api/state/{namespace}
  • Clear all state in a namespace using DELETE /api/state/{namespace}
  • Existing /api/state/global/{name} routes remain unchanged for backward compatibility
• Added PUT /api/configuration/files/{file} endpoint for creating new configuration files programmatically (returns 201 Created, or 409 Conflict if file already exists)
• OpenAPI import now fetches content from externalValue URLs in named examples, using the fetched response body as the mock response instead of a placeholder message
• Added HMAC response signing built-in response transformer — computes an HMAC signature of the response body and adds it as a Base64-encoded header, configured via transformerParameters.hmacSigning in the mapping JSON, supporting HmacSHA1, HmacSHA256, and HmacSHA512 algorithms for simulating webhook and API gateway authentication
• Added OpenAPI schema check that validates HTTP mappings against OpenAPI specification files at startup, preventing startup if any mapping references a URL path or method not found in the specifications — enable with trafficparrot.virtualservice.openapi.check.mapping.schema.on.startup=true
• Added configurable IBM MQ response headers (replyToQueueManagerName, replyToQueueName) in mapping JSON files with Handlebars template support, allowing dynamic control of response message routing headers
• Added trafficparrot.ibmmq.connect.options.accessQueue.input property to configure how IBM® MQ queues are opened for input (consumer) operations, mirroring the existing accessQueue.output property for producers

Fixes

• Broker configuration panels (JMS, IBM MQ, File messaging) now show empty configuration fields as blank rather than rendering the literal text "null" when no value is configured
• Added path traversal prevention to the objectStore Handlebars helper to ensure file access stays within the data directory
• Fixed OpenAPI 3.1 import to correctly handle JsonSchema types, generating proper example responses instead of failing with an error
• Fixed binary schema fields in OpenAPI imports to show a (binary) placeholder instead of corrupted text
• Improved error messages for unsupported external $ref schema references in OpenAPI imports

Changes

• Upgraded web UI framework from Bootstrap 3 to Bootstrap 5
• Upgraded from WireMock 2 to WireMock 3
• Simplified the HTTP Record page to show a single Recording URL input by default for the common case of recording one backend; click Record from multiple URLs to reveal URL pattern fields and record from multiple backends in one session
• Added trafficparrot.virtualservice.grpc.tls.enabled and trafficparrot.virtualservice.grpc.non.tls.enabled properties to allow independently enabling/disabling each gRPC server port
• New code should use the TransformedRequest.like(Request) static factory method in place of the deprecated TransformedRequest public constructor; the deprecated constructor remains available for backwards compatibility
• IBM MQ client library updated from com.ibm.mq.allclient to com.ibm.mq.jakarta.client. If upgrading, replace com.ibm.mq.allclient.jar with com.ibm.mq.jakarta.client.jar in your lib/external/ folder — see JMS and IBM MQ documentation for details. Existing javax.jms plugins continue to work without source changes; support for javax-based plugins will be removed in a future major release.

Traffic Parrot 5.57.3 released, what's new?

We have just released version 5.57.3. Here is a list of the changes that came with the release:

Features

• Added import/export UI for gRPC, Files and JMS protocols
• Added parseCsv Handlebars helper for parsing CSV data in dynamic responses
• Improved OpenAPI validation to correctly resolve $ref schema references

Fixes

• Fixed mapping name not being saved when cache is enabled
• Fixed OpenAPI validation issue with double-slash paths
• Fixed configuration files API path handling on Mac/Linux and Windows
• Library upgrades to fix OWASP issues

Changes

• Renewed sample SSL certificates

Traffic Parrot 5.56.5 released, what's new?

We have just released version 5.56.5. Here is a list of the changes that came with the release:

Features

• Added ResponseToPdf transformer for converting HTTP responses to PDF documents

Fixes

• Fixed cache invalidation issue when modifying active composite scenario
• Fixed an issue with __files not being read from the current scenario for some file types
• Fixed transformer multi-select UI behavior in mapping editor
• Mapping files are no longer unnecessarily trimmed on startup
• Prevent comment line being written for scenario property files
• Improved SDK workspace configuration to avoid missing dependency errors
• Library upgrades to fix OWASP issues

Changes

• Updated sample gRPC SSL certificates
• Upgraded gRPC from 1.67.1 to 1.75.0

How Traffic Parrot's Service Simulation Platform Accelerates ECC-2 Compliance for Saudi Organizations

Saudi Arabia's updated Essential Cybersecurity Controls (ECC-2:2024) framework presents both challenges and opportunities for organizations operating in the Kingdom. With 108 controls across four domains and new requirements for complete environment segregation, comprehensive security testing, and Saudi workforce localization, organizations need robust testing solutions that can deliver compliance without compromising development velocity.

Traffic Parrot's service simulation and API mocking platform directly addresses these challenges, enabling organizations to meet ECC-2 requirements while maintaining the agility needed for Vision 2030's digital transformation goals.

The ECC-2 Compliance Challenge

The National Cybersecurity Authority's updated framework isn't just about checking boxes. It demands:

• Complete isolation between production, test, and development environments
• Comprehensive security testing before any production deployment
• Zero exposure of production data during testing phases
• Continuous validation of security controls throughout development
• Third-party risk assessment without actual system connections

Traditional testing approaches that rely on production systems or real data simply cannot meet these requirements efficiently or safely.

Traffic Parrot's Direct Solution

Our service simulation platform transforms how organizations approach ECC-2 compliance by creating virtual representations of APIs, services, and third-party systems. This isn't just about mocking—it's about building a comprehensive testing ecosystem that satisfies regulatory requirements while accelerating development.

Real-World Application: Saudi Banking Sector

Consider a Saudi bank integrating with SAMA regulatory reporting APIs, SADAD payment services, and Absher authentication. With Traffic Parrot, they can:

• Simulate all government service APIs without production credentials
• Test security controls including OAuth flows, certificate validation, and encryption
• Validate disaster recovery procedures through controlled failure scenarios
• Train security teams on incident response without real threats
• Document everything for NCA compliance audits

Supporting Saudization Requirements

ECC-2 mandates that all cybersecurity positions be filled by qualified Saudi professionals. Traffic Parrot supports this requirement through:

• Local deployment options within Saudi data centers
• Knowledge transfer initiatives
• Simplified interfaces that accelerate skill development

Getting Started

Organizations can achieve measurable ECC-2 compliance improvements within weeks:

1. Deploy Traffic Parrot in your isolated test environment
2. Create service simulations for your critical APIs and integrations
3. Implement security test scenarios aligned with ECC-2 controls
4. Generate compliance reports for NCA requirements
5. Scale across teams as you demonstrate value

The Path Forward

As Saudi Arabia advances its Vision 2030 objectives, the intersection of innovation and security becomes increasingly critical. Traffic Parrot enables organizations to move fast without breaking things—or regulations.

The updated ECC-2 framework isn't just another compliance burden. It's an opportunity to build better, more secure systems. With Traffic Parrot's service simulation platform, you can turn regulatory requirements into competitive advantages.

#ECC2 #SaudiCybersecurity #APITesting #ServiceSimulation #NCA #Compliance #TrafficParrot

Traffic Parrot 5.55.2 released, what's new?

We have just released version 5.55.2. Here is a list of the changes that came with the release:

Features

• Added keyboard shortcut Ctrl/Cmd+F to focus search in mappings list for improved navigation
• Separated URL matcher from URL in mappings list to enable proper sorting by URL
• Improved UI responsiveness when working with large numbers of mappings

Fixes

• Refresh scenario dropdown when composite scenario first used

How to Mock APIs 10x Faster Using AI Chatbots

In our latest tutorial, we create a dynamic mock that returns different responses based on the day of the week. What typically takes 20 minutes of documentation diving, AI completes helps us complete in under 2 minutes.

Quick Tips for Success

Choose the Right Model

• Paid models (Claude Opus 4, ChatGPT 4.5) = first-try success
• Free models = expect 2-3 iterations

Write Better Prompts

• Be specific about your requirements
• Describe expected behavior clearly

Beyond Basic Mocks

• Use AI for complex troubleshooting
• Validate your debugging approach
• Discover diagnostic steps you might have missed

Get Started Today

We've built custom AI assistants specifically for Traffic Parrot users. Access them at trafficparrot.com/ai.

⚠️ Security reminder: Always remove sensitive data before sharing with AI.

Traffic Parrot 5.54.2 released, what's new?

We have just released version 5.54.2. Here is a list of the changes that came with the release:

Features

• Added Composite scenario support for HTTP virtual services, allowing you to combine mappings from multiple scenarios into a single active scenario
• Added URL rewriting support during HTTP recording via the trafficparrot.http.recording.rewrite.regex property to automatically transform URLs in response bodies
• Added RequestToPdf response transformer for generating PDF files from request bodies in test environments
• Added support for Brotli compression decoding during HTTP recording

Fixes

• Fixed a UI mapping list rendering issue seen on some browsers
• Fixed tooltip display issues in the web interface
• Library upgrades to fix OWASP issues

Changes

• Upgraded bundled JRE from 21.0.6 to 21.0.7

Traffic Parrot 5.53.1 released, what's new?

We have just released version 5.53.1. Here is a list of the changes that came with the release:

Features

• Added new properties to performance profile settings:

  trafficparrot.virtualservice.httpRequestLoggingDisabled=true
  trafficparrot.virtualservice.accessLogsEnabled=false
  trafficparrot.virtualservice.handlebars.maxCacheEntries=10000

Setting custom domain for Traffic Parrot HTTP mocks

 "I want to use an abc.local.excample.com domain instead of localhost to bypass the cors errors while recording. I used mkcert to generate the keys. Should this command work?
./start.sh trafficparrot.gui.https.port=21000 trafficparrot.virtualservice.https.port=21001 -Djavax.net.ssl.keyStore=~/pem/keystore.p12 -Djavax.net.ssl.keyStorePassword=password12345678 -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyAlias=trafficparrot" - Staff Engineer working for a US university.

The solution to this issue is described in the documentation in the section "Change the HTTPS server certificate." https://trafficparrot.com/documentation/5.51.x/user_guide.html

If you connect to Traffic Parrot via HTTPS it will return a self-signed certificate.

If you would like Traffic Parrot to use a different certificate for its HTTPS virtual service you can override the PrivateKeyEntry called trafficparrot in trafficparrot-x.y.z/certificates/trafficparrot-keystore.jks. The password to the JKS keystore is trafficparrot.

Traffic Parrot 5.53.0 released, what's new?

We have just released version 5.53.0. Here is a list of the changes that came with the release:

Features

• Added searchable dropdown to scenario selection in the UI for better usability

Fixes

• Library upgrades to fix OWASP issues

Changes

• Increased the minimum Java runtime requirement from Java 8 to Java 17. We will continue to support Java 8 for all customers that have not yet upgraded.
• Upgraded Jetty server from v9 to v12

How do I set up an OPTIONS request in Traffic Parrot?

 "UI is making an OPTIONS request but the mock doesn’t seem to be returning the right headers resulting in CORS error. I tried changing port , URL, nothing helped, only the same Allow, Server response headers were being sent back." - Staff Engineer working for a US university.

By default, trafficparrot.properties has a flag set:
trafficparrot.http.optionsResponse.enabled=true

This tells Traffic Parrot to return a default automatic OPTIONS response with the "allow" header set only, for any defined mapping.

If you set the flag to false:

trafficparrot.http.optionsResponse.enabled=false

It will allow you to define your own custom OPTIONS response instead.

Can Traffic Parrot return binary files in responses?

 "Can an HTTP response in Traffic Parrot contain a binary file?" - software developer working for an e-commerce company.

Yes.

The simplest way to create a mock in Traffic Parrot that returns a binary file in the response is to create that mock by doing a recording. That assumes you have a real service that you can record.

If you don't have a real service that returns the binary file in the response, you can create a mapping manually. To do that:

1. Create a file in trafficparrot-x.y.z/mappings directory called, for example mapping-dummy-file.json
2. The mapping-dummy-file.json should contain the following (notice the reference to body-dummy-file.pdf): 

   {
     "id" : "5d6a8f32-914c-4b67-ae15-f2c9d7b3e091",
     "name" : "mapping-dummy-file.json",
     "request" : {
       "url" : "/dummy.pdf",
       "method" : "GET"
     },
     "response" : {
       "status" : 200,
       "bodyFileName" : "body-dummy-file.pdf",
       "headers" : {
         "Content-type" : "application/pdf"
       }
     }
   }

3. Create the binary response body file body-dummy-file.pdf in trafficparrot-x.y.z/__files. You can use any PDF file just make sure the filename is specified in the mapping json file in bodyFileName attribute
4. Now if you visit http://localhost:8081/dummy.pdf then a PDF binary file will be returned. 

Traffic Parrot 5.52.0 released, what's new?

We have just released version 5.52.0. Here is a list of the changes that came with the release:

Features

• Import OpenAPI files from the openapi configuration directory on startup
• Enable in trafficparrot.properties by setting:

  trafficparrot.openapi.import.on.startup=true

Fixes

• Library upgrades to fix OWASP issues

Changes

• Upgraded bundled JRE from 8u402 to 21.0.6
• OpenAPI imports performed via the UI will override the previous import rather than duplicating mappings
• Downgraded to WireMock 2 request matchers and Handlebars response templating helpers due to performance issues with WireMock 3