DEV.co
Open-Source Testing · mccutchen

go-httpbin

go-httpbin is a lightweight, Go-based clone of the httpbin HTTP testing service with zero external dependencies. It runs as a standalone binary, Docker image, or embedded library for testing HTTP client behavior in Go applications.

Source: GitHub — github.com/mccutchen/go-httpbin
859
GitHub stars
179
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymccutchen/go-httpbin
Ownermccutchen
Primary languageGo
LicenseMIT — OSI-approved
Stars859
Forks179
Open issues9
Latest releasev2.23.1 (2026-06-09)
Last updated2026-06-24
Sourcehttps://github.com/mccutchen/go-httpbin

What go-httpbin is

A pure Go implementation of httpbin using only the Go standard library, providing HTTP request/response inspection, delay simulation, status code testing, and redirect handling. Supports TLS, configurable timeouts, body size limits, and deployment via Docker/Kubernetes.

Quickstart

Get the go-httpbin source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/mccutchen/go-httpbin.gitcd go-httpbin# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

HTTP Client Testing in Go

Embed as a library in unit tests to verify application behavior against controlled HTTP responses, timeouts, and edge cases without external service dependencies.

Integration Testing Environment

Deploy as a standalone service or Docker container in CI/CD pipelines to provide a predictable, configurable HTTP echo/test service for multiple tests or services.

Development & Debugging

Use locally as a mock HTTP service to simulate various HTTP scenarios (slow responses, redirects, authentication) while developing or debugging HTTP client code.

Implementation considerations

  • Zero stdlib dependencies simplify deployment and reduce attack surface; verify embedded usage in existing Go projects via `go get github.com/mccutchen/go-httpbin/v2`.
  • Configure request limits upfront: set `-max-body-size` and `-max-duration` to prevent resource exhaustion from malicious or misbehaving clients.
  • Non-root Docker images (v2.19.0+) require adjusted file permissions and user IDs if TLS certificates or privileged ports are needed.
  • For public instances, restrict `/redirect-to` domain allowlist and consider wrapping with custom instrumentation (logging, metrics) as documented.
  • Runs on configurable host/port with optional path prefix; verify firewall/network policies align with deployment topology.

When to avoid it — and what to weigh

  • Production Request Inspection at Scale — Not designed as a high-traffic production logging/monitoring proxy; lacks authentication, encryption at rest, and audit trails necessary for sensitive request inspection.
  • Non-Go Ecosystems — Requires Go toolchain or Docker; if your team is Python/Node-centric, the original httpbin or language-specific alternatives may be easier to manage.
  • Security-Critical Environments — Documented dangerous endpoints (XSS attacks via `-unsafe-allow-dangerous-responses`); requires careful configuration and not suitable for untrusted client exposure without hardening.
  • Stateful HTTP Testing — Designed for stateless request echo/inspection; lacks session storage, database integration, or complex state machine simulation.

License & commercial use

MIT License: permissive OSI-approved license allowing commercial use, modification, and redistribution with attribution.

MIT License permits commercial use in applications and deployments. Verify compliance with MIT terms (include license notice in distributions). No vendor lock-in or proprietary restrictions. Suitable for proprietary product testing infrastructure.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Documented open redirect risk in `/redirect-to` endpoint (mitigated via allowlist). XSS attack risk if `-unsafe-allow-dangerous-responses` enabled (default off). No authentication/authorization layer; intended for internal testing, not public-facing APIs. Hostname and version endpoints can leak infrastructure details if enabled. Server timeouts and header/body limits tunable to prevent DoS. Non-root Docker image improves container isolation.

Alternatives to consider

httpbin (Python/Flask original)

Official reference implementation; if already using Python or prefer upstream compatibility, more battle-tested but requires Python runtime and external dependencies.

httpstat.us or httpbin.org (public SaaS)

No deployment/infrastructure needed; suitable for quick testing but introduces external dependency, network latency, and potential rate-limiting/outages.

mockito/testify (Go mocking libraries)

Programmatic HTTP mock setup; better for unit tests of individual handlers but requires inline mock definition; less suitable for end-to-end or multi-service testing.

Software development agency

Build on go-httpbin with DEV.co software developers

Deploy go-httpbin in your testing pipeline in minutes. Use as a standalone service, Docker container, or Go library. No external dependencies, MIT licensed.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

go-httpbin FAQ

Can I use go-httpbin in production?
Yes, but with hardening: restrict domains, tune limits, run non-root, hide real hostnames, and add custom instrumentation. Not recommended for public APIs without authentication/rate-limiting.
Does it require external dependencies?
No; zero dependencies outside Go stdlib, simplifying deployment and reducing vulnerability surface compared to original httpbin.
How do I embed it in my Go tests?
Import `github.com/mccutchen/go-httpbin/v2/httpbin`, create an app instance, wrap it with `httptest.NewServer()`, and use the test server URL in your client code.
What endpoints does it support?
Comprehensive set based on httpbin spec: `/get`, `/post`, `/delay`, `/status`, `/redirect`, `/cookies`, `/headers`, `/ip`, `/user-agent`, etc. See GitHub README for full list.

Work with a software development agency

From first prototype to production, DEV.co delivers software development services around tools like go-httpbin. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source testing and beyond.

Get Started with go-httpbin

Deploy go-httpbin in your testing pipeline in minutes. Use as a standalone service, Docker container, or Go library. No external dependencies, MIT licensed.