go-httpbin
go-httpbin is a lightweight, Go-based clone of the httpbin HTTP testing service with zero external dependencies. It runs as a standalone binary, Docker image, or embedded library for testing HTTP client behavior in Go applications.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | mccutchen/go-httpbin |
| Owner | mccutchen |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 859 |
| Forks | 179 |
| Open issues | 9 |
| Latest release | v2.23.1 (2026-06-09) |
| Last updated | 2026-06-24 |
| Source | https://github.com/mccutchen/go-httpbin |
What go-httpbin is
A pure Go implementation of httpbin using only the Go standard library, providing HTTP request/response inspection, delay simulation, status code testing, and redirect handling. Supports TLS, configurable timeouts, body size limits, and deployment via Docker/Kubernetes.
Get the go-httpbin source
Clone the repository and explore it locally.
git clone https://github.com/mccutchen/go-httpbin.gitcd go-httpbin# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Zero stdlib dependencies simplify deployment and reduce attack surface; verify embedded usage in existing Go projects via `go get github.com/mccutchen/go-httpbin/v2`.
- Configure request limits upfront: set `-max-body-size` and `-max-duration` to prevent resource exhaustion from malicious or misbehaving clients.
- Non-root Docker images (v2.19.0+) require adjusted file permissions and user IDs if TLS certificates or privileged ports are needed.
- For public instances, restrict `/redirect-to` domain allowlist and consider wrapping with custom instrumentation (logging, metrics) as documented.
- Runs on configurable host/port with optional path prefix; verify firewall/network policies align with deployment topology.
When to avoid it — and what to weigh
- Production Request Inspection at Scale — Not designed as a high-traffic production logging/monitoring proxy; lacks authentication, encryption at rest, and audit trails necessary for sensitive request inspection.
- Non-Go Ecosystems — Requires Go toolchain or Docker; if your team is Python/Node-centric, the original httpbin or language-specific alternatives may be easier to manage.
- Security-Critical Environments — Documented dangerous endpoints (XSS attacks via `-unsafe-allow-dangerous-responses`); requires careful configuration and not suitable for untrusted client exposure without hardening.
- Stateful HTTP Testing — Designed for stateless request echo/inspection; lacks session storage, database integration, or complex state machine simulation.
License & commercial use
MIT License: permissive OSI-approved license allowing commercial use, modification, and redistribution with attribution.
MIT License permits commercial use in applications and deployments. Verify compliance with MIT terms (include license notice in distributions). No vendor lock-in or proprietary restrictions. Suitable for proprietary product testing infrastructure.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Documented open redirect risk in `/redirect-to` endpoint (mitigated via allowlist). XSS attack risk if `-unsafe-allow-dangerous-responses` enabled (default off). No authentication/authorization layer; intended for internal testing, not public-facing APIs. Hostname and version endpoints can leak infrastructure details if enabled. Server timeouts and header/body limits tunable to prevent DoS. Non-root Docker image improves container isolation.
Alternatives to consider
httpbin (Python/Flask original)
Official reference implementation; if already using Python or prefer upstream compatibility, more battle-tested but requires Python runtime and external dependencies.
httpstat.us or httpbin.org (public SaaS)
No deployment/infrastructure needed; suitable for quick testing but introduces external dependency, network latency, and potential rate-limiting/outages.
mockito/testify (Go mocking libraries)
Programmatic HTTP mock setup; better for unit tests of individual handlers but requires inline mock definition; less suitable for end-to-end or multi-service testing.
Build on go-httpbin with DEV.co software developers
Deploy go-httpbin in your testing pipeline in minutes. Use as a standalone service, Docker container, or Go library. No external dependencies, MIT licensed.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
go-httpbin FAQ
Can I use go-httpbin in production?
Does it require external dependencies?
How do I embed it in my Go tests?
What endpoints does it support?
Work with a software development agency
From first prototype to production, DEV.co delivers software development services around tools like go-httpbin. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source testing and beyond.
Get Started with go-httpbin
Deploy go-httpbin in your testing pipeline in minutes. Use as a standalone service, Docker container, or Go library. No external dependencies, MIT licensed.