Mitmproxy

- Update mitmproxy_rs dependency to fix several bugs in local capture mode.
([7564](https://github.com/mitmproxy/mitmproxy/pull/7564), mhils)
- Add documentation for local capture mode.
([7540](https://github.com/mitmproxy/mitmproxy/pull/7540), mhils)
- Revise documentation on proxy modes.
([7545](https://github.com/mitmproxy/mitmproxy/pull/7545), mhils)
- Add a log message to point Docker mitmweb users towards `web_password`.
([7554](https://github.com/mitmproxy/mitmproxy/pull/7554), mhils)
- Fix a bug where UTF-8 surrogates would crash the export addon.
([7562](https://github.com/mitmproxy/mitmproxy/pull/7562), mhils)
- Add help entries for all options in mitmweb that didn't have them.
([7563](https://github.com/mitmproxy/mitmproxy/pull/7563), mhils)

- [CVE-2025-23217](https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p):
mitmweb's API now requires an authentication token by default.
The mitmweb API is bound to localhost only, but gronke found that an attacker can circumvent that restriction
by tunneling requests through the proxy server itself in an [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style attack.
([fa89055](https://github.com/mitmproxy/mitmproxy/commit/fa89055e196d953f11fd241e36ee37858993486a), mhils)
- Add (optional) password protection for mitmweb. The `web_password` option replaces the randomly-generated token
authentication with a fixed secret that survives mitmproxy restarts.
([0bd573a](https://github.com/mitmproxy/mitmproxy/commit/0bd573a5995f61d82f5157e927b0eb93cdc4ebab), mhils)
- mitmweb can now be hosted under arbitrary domains, the previously-used DNS rebind protection is not required anymore.
([62693af](https://github.com/mitmproxy/mitmproxy/commit/62693aff9a38ad0bb36716569fc627f26e489ccc), mhils)
- Security Hardening: mitmweb's `xsrf_token` cookie is now `HttpOnly; SameSite=Strict`.
([7491](https://github.com/mitmproxy/mitmproxy/pull/7491), mhils)
- We now provide standalone binaries for Linux arm64.
([7484](https://github.com/mitmproxy/mitmproxy/pull/7484), mhils)
- Standalone binaries are now compiled with Python 3.13.
([7485](https://github.com/mitmproxy/mitmproxy/pull/7485), mhils)
- Fix console freezing due to DNS queries with an empty question section.
([7497](https://github.com/mitmproxy/mitmproxy/pull/7497), sujaldev)
- Add mitmweb tutorial to docs.
([7509](https://github.com/mitmproxy/mitmproxy/pull/7509), EstherRoeth)
- Fixed a bug that caused mitmproxy to crash when loading prior knowledge h2 flows.
([7514](https://github.com/mitmproxy/mitmproxy/pull/7514), sujaldev)
- Fix a bug where mitmproxy would get stuck in secure web proxy mode when using `ignore_hosts` or `allow_hosts`.
([7519](https://github.com/mitmproxy/mitmproxy/pull/7519), mhils)
- Copy request/response data to the clipboard in mitmweb
([7352](https://github.com/mitmproxy/mitmproxy/pull/7352), lups2000)
- Fix a bug where exporting a curl or httpie command with escaped characters would lead to different data being sent.
([7520](https://github.com/mitmproxy/mitmproxy/pull/7520), proteusvacuum)

- Yanked. Identical to 11.1.2, but failed to deploy in CI.

- **Local Capture Mode** is now available on Linux as well.
([7440](https://github.com/mitmproxy/mitmproxy/pull/7440), mhils)
- mitmproxy now requires Python 3.12 or above.
([7440](https://github.com/mitmproxy/mitmproxy/pull/7440), mhils)
- Add cache-busting for mitmweb's front end code.
([7386](https://github.com/mitmproxy/mitmproxy/pull/7386), mhils)
- Clicking the URL in mitmweb now places the cursor at the current position instead of selecting the entire URL.
([7385](https://github.com/mitmproxy/mitmproxy/pull/7385), lups2000)
- Add missing status codes
([7455](https://github.com/mitmproxy/mitmproxy/pull/7455), jwadolowski)
- All filter expressions are now case-insensitive by default.
Users can opt into case-sensitive filters by setting MITMPROXY_CASE_SENSITIVE_FILTERS=1
as an environment variable.
([7458](https://github.com/mitmproxy/mitmproxy/pull/7458), mhils, AdityaPatadiya)
- Remove filter expression lowercasing in block_list addon
([7456](https://github.com/mitmproxy/mitmproxy/pull/7456), jwadolowski)
- Remove check for status codes in the blocklist add-on.
([7453](https://github.com/mitmproxy/mitmproxy/pull/7453), lups2000, AdityaPatadiya)
- Prompt user before clearing screen
([7445](https://github.com/mitmproxy/mitmproxy/pull/7445), errorxyz)

- Stop sorting keys in JSON contentview
([7346](https://github.com/mitmproxy/mitmproxy/pull/7346), injust)
- Fix a bug where a custom CA would raise an error.
([7355](https://github.com/mitmproxy/mitmproxy/pull/7355), nneonneo)
- Fix a bug where the mitmproxy UI would crash on negative durations.
([7358](https://github.com/mitmproxy/mitmproxy/pull/7358), mhils)
- Allow technically invalid HTTP transfer encodings in requests if `validate_inbound_headers` is disabled.
([7361](https://github.com/mitmproxy/mitmproxy/pull/7361), [#7373](https://github.com/mitmproxy/mitmproxy/pull/7373), mhils)
- Fix a bug in windows management in mitmproxy TUI whereby the help window does not appear if "?" is pressed within the overlay
([6500](https://github.com/mitmproxy/mitmproxy/pull/6500), emanuele-em)

- Tighten HTTP detection heuristic to better support custom TCP-based protocols.
([7228](https://github.com/mitmproxy/mitmproxy/pull/7228), fatanugraha)
- Implement stricter validation of HTTP headers to harden against request smuggling attacks.
([7345](https://github.com/mitmproxy/mitmproxy/issues/7345), mhils)
- Increase HTTP/2 default flow control window size, fixing performance issues.
([7317](https://github.com/mitmproxy/mitmproxy/pull/7317), sujaldev)
- Fix a bug where mitmproxy would incorrectly report that TLS 1.0 and 1.1 are not supported
with the current OpenSSL build.
([7241](https://github.com/mitmproxy/mitmproxy/pull/7241), mhils)
- Docker: Update image to Python 3.13 on Debian Bookworm.
([7242](https://github.com/mitmproxy/mitmproxy/pull/7242), mhils)
- Add a `tun` proxy mode that creates a virtual network device on Linux for transparent proxying.
([7278](https://github.com/mitmproxy/mitmproxy/pull/7278), mhils)
- `browser.start` command now supports Firefox.
([7239](https://github.com/mitmproxy/mitmproxy/pull/7239), sujaldev)
- Fix interaction of the `modify_headers` and `stream_large_bodies` options.
This may break users of `modify_headers` that rely on filters referencing the message body.
We expect this to be uncommon, but please make yourself heard if that's not the case.
([7286](https://github.com/mitmproxy/mitmproxy/pull/7286), lukant)
- Fix a crash when handling corrupted compressed body in savehar addon and its tests.
([7320](https://github.com/mitmproxy/mitmproxy/pull/7320), 8192bytes)
- Remove dependency on `protobuf` library as it was no longer being used.
([7327](https://github.com/mitmproxy/mitmproxy/pull/7327), matthew16550)