API Documentation

ScanFort Proxy API Reference

Complete REST API documentation for automating your security testing workflow

Installation

Get started with ScanFort Proxy by installing the local backend service.

Windows

Run this command in PowerShell:

powershell -Command "iwr https://beta.proxy.scanfort.com/portable/run/windows -UseBasicParsing | iex"

Linux

Run this command in your terminal:

curl https://beta.proxy.scanfort.com/portable/run/linux | bash

macOS

Run this command in your terminal:

curl https://beta.proxy.scanfort.com/portable/run/mac | bash

Alternative: Python Installation

If you have Python installed, you can download and run the installer script manually:

Download install.py from beta.proxy.scanfort.com/portable/run/python
Run the installer: python install.py

What the installer does:

✓ Installs ScanFort Proxy locally on your machine
✓ Starts the proxy service on localhost:8000
✓ Enables communication between the web frontend and local service

Quick Start

Once installed, the ScanFort Proxy API provides programmatic access to all proxy features. All endpoints return JSON responses following a consistent format:

{
  "status": "success",
  "result": { /* endpoint-specific data */ },
  "msg": null
}

Base URL: http://localhost:8000

Authentication

All API requests must include the following HTTP header:

sf-api-auth: YOUR_API_KEY

If the header is missing or invalid, the API will return:

HTTP/1.1 401 Unauthorized
{
  "detail": "Unauthorized: invalid or missing sf-api-auth header"
}

Examples

cURL

curl http://localhost:8000/home/flows/paged \
  -H "sf-api-auth: YOUR_API_KEY"

fetch

fetch("http://localhost:8000/home/flows/paged", {
  headers: {
    "sf-api-auth": "YOUR_API_KEY"
  }
});

Home - Flow Management

Manage and inspect captured HTTP flows with filtering, interception, and replay capabilities.

POST/home/init-data

Initialize home page state and retrieve interception status.

Response

{
  "interceptionActive": boolean,
  "lastSelectedFlow": number
}

GET/home/flows/paged

Retrieve paginated list of captured flows.

Query Parameters

offset - Starting index (default: 0)
limit - Number of items to return (default: 50)

Response

{
  "items": [
    {
      "homeFlowIndex": number,
      "id": string,
      "host": string,
      "path": string,
      "method": string,
      "status_code": number,
      "intercepted": boolean,
      "modified": boolean,
      "priority": number,
      "user_label": string
    }
  ],
  "is_last": boolean
}

POST/home/flow/get

Get detailed flow data for editing and inspection.

Request Body

{
  "index": number,
  "beautifyRequest": boolean,
  "beautifyResponse": boolean,
  "saveLastSelected": boolean
}

POST/home/flow/update

Update flow data with modifications.

Request Body

{
  "index": number,
  "changedData": {
    // Modified flow data
  }
}

Interception Control

POST/home/flows/start-interceptStart intercepting flows

POST/home/flows/resume-interceptResume all intercepted flows

POST/home/flows/step-interceptStep through intercepted flows

POST/home/flows/half-step-interceptHalf-step through interception

Flow Actions

POST/home/flow/add-to-notesAdd flow to notes collection

POST/home/flow/add-to-playgroundAdd flow to playground for testing

WS/home/ws/flows

WebSocket connection for real-time flow updates.

Playground - Flow Testing

Experiment with flows in an isolated environment for testing modifications and replays.

GET/playground/get-initial-data

Retrieve all playground flow briefs.

Response

{
  "items": [
    {
      "playgroundBriefIndex": number,
      "homeFlowIndex": number,
      "title": string,
      "user_label": string
    }
  ]
}

POST/playground/replay-flow

Replay a flow from the playground.

Request Body

{
  "index": number
}

Filter - Advanced Search

Powerful filtering capabilities with regex support and custom filter sessions.

POST/filter/start-basic

Start a basic regex-based filter session.

Request Body

{
  "searchRegex": string
}

Response

{
  "sessionId": number
}

POST/filter/start-custom

Create a custom filter session with advanced criteria.

Request Body

{
  "data": [
    {
      // Custom filter criteria
    }
  ],
  "inScope": boolean
}

POST/filter/flows/paged

Get paginated results from a filter session.

Request Body

{
  "sessionId": number,
  "offset": number,
  "limit": number
}

Notes - Documentation

Manage persistent notes and build a knowledge base of interesting flows and vulnerabilities.

GET/notes/get-initial-data

Get all notes metadata and available flow keys.

POST/notes/create-new-note

Create a new note document.

Request Body

{
  "title": string
}

GET/notes/get-file-by-name/{file_name}

Retrieve note content by filename.

POST/notes/set-data

Save note document data.

Request Body

{
  "fileName": string,
  "docData": Array<any>
}

GET/notes/delete-file-by-name/{file_name}

Delete a note by filename.

Recon - Intelligence Gathering

Smart parameter tracking and reconnaissance features for discovering patterns.

POST/recon/search

Smart search with context-based ranking.

Request Body

{
  "context": {
    // Search context
  },
  "return_type": "records",
  "limit": 10
}

POST/recon/latest-values

Get latest parameter values per user.

Request Body

{
  "host": string,
  "path": string,
  "key": string,
  "json_path": string
}

Settings - Configuration

Configure proxy behavior, scopes, header modifications, and browser integration.

Scope Management

POST/settings/set-in-scopesConfigure scope rules

POST/settings/get-in-scopesRetrieve current scopes

Header Modification

POST/settings/set-header-modifiersConfigure header modifications

POST/settings/get-header-modifiersGet active header modifiers

POST/settings/launch-browser

Launch a browser with proxy configuration.

Request Body

{
  "browser": string,
  "userLabel": string,
  "url": string
}

System

GET/settings/versionGet API version

POST/settings/clear-dbClear database

POST/settings/get-portsGet port mappings

Error Handling

Error Response Format

{
  "status": "error",
  "result": null,
  "msg": "Error description"
}

Common HTTP Status Codes

200 Success
400 Bad Request - Invalid parameters
404 Not Found - Resource doesn't exist
500 Internal Server Error

Code Examples

Python Example

import requests

# Get paginated flows
response = requests.get(
    "http://localhost:8000/home/flows/paged",
    params={"offset": 0, "limit": 50}
)

data = response.json()
if data["status"] == "success":
    flows = data["result"]["items"]
    for flow in flows:
        print(f"{flow['method']} {flow['host']}{flow['path']}")

JavaScript Example

// Start a filter session
const response = await fetch("http://localhost:8000/filter/start-basic", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    searchRegex: "api\\.example\\.com"
  })
});

const data = await response.json();
if (data.status === "success") {
  const sessionId = data.result.sessionId;
  console.log("Filter session created:", sessionId);
}

cURL Example

# Replay a flow
curl -X POST http://localhost:8000/playground/replay-flow \
  -H "Content-Type: application/json" \
  -d '{"index": 42}'