har-mcp
Generates ready-to-run code snippets using Axios from HAR file requests.
Generates cURL commands from HAR file requests for replay testing.
Generates Dart code using Dio from HAR file requests.
Detects leaked GitHub tokens in HAR captures for security analysis.
Detects and analyzes GraphQL operations, including queries, mutations, and subscriptions, within HAR captures.
Generates JavaScript code snippets (e.g., using fetch, axios) from HAR file requests.
Generates jQuery AJAX code snippets from HAR file requests.
Generates Kotlin code using OkHttp from HAR file requests.
Generates Node.js code snippets (e.g., using fetch, axios) from HAR file requests.
Generates PHP code using cURL or Guzzle from HAR file requests.
Exports HAR captures as Postman Collections (v2.1) for API workflow testing.
Generates Python code using requests or http.client from HAR file requests.
Generates shell cURL commands from HAR file requests for easy command-line replay.
Detects leaked Stripe API tokens in HAR captures for security analysis.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@har-mcpSummarize this HAR file."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
har-mcp
Professional MCP server for HAR (HTTP Archive) network captures.
Fast • Safe • AI-first • Zero configuration
Point an AI agent at a .har file and let it extract endpoints, detect GraphQL, hunt leaked secrets, group traffic by domain, surface web issues, export cURL/Postman, compare captures, and generate reports.
Features
⚡ Fast cached HAR loading
🤖 AI-first MCP tools
🔍 API & GraphQL discovery
🔐 Secret detection
📊 Timeline & dependency analysis
📦 OpenAPI & Postman export
💻 cURL and code generation
🛡 Automatic backups before modifications
Related MCP server: Burp Suite MCP Analyzer
Install
# via npx (no install)
npx har-mcp
# or globally
npm install -g har-mcp
har-mcpRequires Node.js >= 18. No build step. ESM-only.
Quick Start
Open any MCP-compatible client and ask:
"Summarize this HAR."
"Find leaked secrets."
"Export all GraphQL requests to Postman."
"Generate OpenAPI from this capture."
"Show slow requests over 2 seconds."
Supported Formats
Supports standard HAR 1.2 exports from:
Chrome DevTools
Edge
Firefox
Reqable
Charles Proxy
Fiddler
Proxyman
HTTP Toolkit
mitmproxy
Why har-mcp?
Feature | har-mcp |
GraphQL detection | ✅ |
Secret scanning | ✅ |
OpenAPI generation | ✅ |
Postman export | ✅ |
Code generation | ✅ |
MCP native | ✅ |
AI optimized | ✅ |
Example
User:
Find Bearer tokens.
Agent:
> workspace(har_path="capture.har")
{
"log": { "entries": 1247, ... }
}
> find_secrets(har_path="capture.har")
Found 1 potential secret(s) (values masked)
> get_request(har_path="capture.har", index=42)
Authorization: Bearer eyJhbGciOi...
> generate_code(har_path="capture.har", index=42, language="shell", framework="curl")
curl -X GET https://api.example.com/...How It Works
Agent-driven analysis — MCP clients (Claude Desktop, Cursor, VS Code, Kilo) call tools over stdio.
Fast file access — HAR files are cached in memory by
path + size + mtimeMs. A persistent index in~/.cache/har/index.jsonstores precomputed workspace stats.Smart tool routing —
recommend_tool(goal)andhelp(tool)guide agents to the right workflow.Safe mutations — destructive tools (
delete_host_requests,delete_request) write.bakbackups to~/.cache/har/backups/before modifying files.
Capabilities
Category | Tools |
Discovery |
|
Inspection |
|
Analysis |
|
Security |
|
Export |
|
Maintenance |
|
Agent Help |
|
AI Workflow
Recommended order for agents analyzing a HAR file:
workspace— understand the capture shape (entries, hosts, domains, special protocols).describe_har— get a plain-English overview.detect_issues/find_secrets— surface problems and leaked credentials.group_by_host/extract_endpoints— narrow scope before deep inspection.get_request/search_requests— inspect specific requests.export_postman/generate_openapi/generate_code— export or replay findings.
Use help(tool='...') for detailed arguments and examples, and recommend_tool(goal='...') to discover the right tool for a task.
AI-Friendly
The server is designed for language models:
Deterministic output — same input always returns same output.
Machine-readable — structured text, JSON, and markdown.
Predictable schema — Zod-validated arguments and return types.
Token efficient — compact output with optional truncation.
Self-documenting —
help()andrecommend_tool()let agents discover capabilities without external docs.
Output Examples
detect_graphql
Detected 3 GraphQL operation(s)
Operation | Type | Method | Status | Errors |
Login | query | POST | 200 | 0 |
RefreshToken | mutation | POST | 200 | 0 |
Me | query | POST | 200 | 0 |
find_secrets
Found 1 potential secret(s) (values masked)
Type | Where | Location | Value |
bearer | authorization | eyJhbG... |
timeline (mermaid)
gantt
title Request Timeline
dateFormat X
section Auth
Login :0, 120
section API
GetUser :150, 300Performance
In-memory cache — HAR files cached by
path + size + mtimeMskey.Incremental index —
~/.cache/har/index.jsonstores precomputed workspace stats.Lazy formatting — request details are formatted only when requested.
Zero-copy parsing — JSON parsed once per cache miss.
Security
HAR files are processed entirely locally.
No network requests are made to external services.
No telemetry, analytics, or phone-home.
No external APIs contacted.
Secrets are masked in tool output.
Supported Code Generation
generate_code supports:
C (libcurl)
C# (HttpClient, RestSharp)
Dart (Dio)
Go (native net/http)
Java (AsyncHttp, HttpClient, OkHttp, Unirest)
JavaScript (axios, fetch, jQuery, XHR)
Kotlin (OkHttp)
Node.js (axios, fetch, native, request, Unirest)
PHP (curl, Guzzle)
Python (http.client, Requests)
Shell (curl)
Supported MCP Clients
Claude Desktop
Cursor
VS Code
Kilo
Cline
Windsurf
Roo Code
Any MCP-compatible client
Usage
Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"har-mcp": {
"command": "npx",
"args": ["har-mcp"]
}
}
}Cursor / VS Code
Add to your MCP settings:
{
"mcpServers": {
"har-mcp": {
"command": "npx",
"args": ["har-mcp"]
}
}
}Filtering
list_requests, group_by_host, and search_requests accept filters:
session:http|https|websocket|sseprotocol:http1|http2|http3mime:json|xml|text|html|js|image|media|binarycode:1xx|2xx|3xx|4xx|5xx
search_requests also supports case_sensitive and regex modes.
Goal → Tool Reference
Goal | Tool |
Overview |
|
Find APIs |
|
GraphQL |
|
Security |
|
Performance |
|
Debug request |
|
Export Postman |
|
Generate OpenAPI |
|
Replay request |
|
Generate code |
|
Architecture
Entry:
src/index.js→main()insrc/server.js→createServer()Tools: 28 MCP tools registered in
src/server.jswith Zod schemas andwrap()error handlingModules:
har.js— file loading, HAR helpers, cache, indexanalyze.js— list, filter, group, detect issues, secrets, GraphQLrequest.js— request formatting (summary, raw, headers, cookies, body)export.js— Postman export, markdown/HTML reportssnippets.js— code generation (11 languages, ~15 frameworks)compare.js— HAR diffinginsights.js— timeline, dependency tree, OpenAPI, describe
Cache / Work Directory
Cache dir:
~/.cache/har/Backups:
~/.cache/har/backups/Reports:
~/.cache/har/reports/Index:
~/.cache/har/index.json
Tool Reference
workspace
Return metadata about the loaded HAR file: entry count, hosts, domains, GraphQL/WebSocket/SSE presence, start time, and total duration.
har_summary
Quick overview: request count, domains, endpoints, GraphQL, secrets, and issue counts.
describe_har
Generate a natural-language description of the HAR file contents.
list_requests
List captured requests with filtering by host, session, protocol, MIME, and status code.
get_request
Show a single request in detail: summary, raw, query, body, headers, and cookies.
find_headers
Find all request/response headers with a given name across the HAR.
find_cookies
Find cookies in the HAR, optionally filtered by name.
search_requests
Search by keyword or regex in URL, request body, response body, or raw entry.
get_domains
List all domains seen in the HAR with request counts.
analyze_api
Analyze the API surface of one domain: endpoints, status codes, auth, and JSON body structure.
extract_endpoints
Extract and cluster unique API endpoints (method + path, IDs normalized to :id).
detect_graphql
Detect GraphQL operations and surface errors.
analyze_graphql
Analyze GraphQL operations by type: queries, mutations, subscriptions.
find_secrets
Hunt for leaked secrets: Bearer tokens, JWTs, API keys, AWS/Stripe/GitHub tokens, private keys.
group_by_domain
Group requests by domain with counts, methods, bytes, and timings.
group_by_host
Group requests by host:port with request counts and filters.
find_duplicates
Find duplicate requests (same method + URL) for de-noising.
detect_issues
Detect common web problems: 4xx/5xx errors, redirects, CORS, cache, mixed content, missing security headers, large/slow responses.
timeline
Show a chronological timeline of requests with relative timings and optional mermaid Gantt chart.
dependency_tree
Build a best-effort dependency tree from Referer headers.
generate_code
Generate ready-to-run code snippets. Supports 11 languages and multiple frameworks, including language="shell" + framework="curl" for cURL commands.
export_postman
Export the HAR as a Postman Collection (v2.1) JSON.
generate_openapi
Generate a basic OpenAPI 3.1.0 spec from the HAR's API endpoints.
generate_report
Generate a human-readable analysis report (markdown or HTML).
compare_har
Compare two HAR captures: added/removed/changed endpoints, new cookies, new secrets.
delete_request
Remove a single request by index, writing a .bak backup first.
delete_host_requests
Remove all requests for a given host, writing a .bak backup first.
help
Return detailed help for any tool: args, returns, related tools, and examples.
recommend_tool
Suggest tools based on a natural-language goal.
FAQ
Does this modify my HAR?
No. Only delete_request and delete_host_requests modify files, and they automatically create .bak backups in ~/.cache/har/backups/.
Where are backups stored?
~/.cache/har/backups/ by default. The original .har file is never overwritten without a backup.
Is my data sent anywhere?
No. Everything runs locally. No telemetry, no analytics, no external APIs.
Which HAR versions are supported?
HAR 1.2, as exported by Chrome, Edge, Firefox, and most proxy tools.
How do I update?
npm update -g har-mcpLicense
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/GSK-F/har-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server