HTTPX is a fast and flexible HTTP toolkit created by Project Discovery. It allows security professionals to probe HTTP-based targets quickly and extract useful information like status codes, titles, redirects, web technologies, and much more.
In penetration testing, bug bounty hunting, and reconnaissance, speed and breadth matter. HTTPX makes it easy to automate web asset discovery, technology fingerprinting, and vulnerability mapping without heavy scripting. It’s built for high performance and deep inspection.
Why Use HTTPX?
- Asynchronous Capabilities: This tool natively supports async/await syntax, enabling thousands of concurrent HTTP requests with minimal resource consumption.
- HTTP/2 Support: Many modern APIs leverage HTTP/2 for better performance. This tool makes it easy to take advantage of that.
- Better Timeout Control: Fine-grained timeout configurations help avoid hanging network calls.
- Pluggable Transports: Customize your transport layer if you need specialized behaviors.
- Connection Pooling and Keep-Alive: Optimized handling of multiple requests efficiently.
- Drop-in Replacement for Requests: For many simple use cases, switching from requests to httpx requires minimal code changes.
Differences between HTTPX, Curl, Wget, Nmap
- Curl/Wget: Good for fetching web pages or files. Not optimized for mass URL probing.
- Nmap: Primarily a network scanner, not focused on detailed web probing.
- HTTPX: Explicitly designed for HTTP probing at scale with detailed outputs (technologies, titles, redirects, etc.).
When to Use HTTPX?
When you need to scan thousands of subdomains, discover web apps quickly, detect tech stacks, or validate live targets, HTTPX is the tool to reach for.
Key Features
- High-Performance HTTP Probing: Designed to handle thousands of targets with speed and stability.
- Web Technology Detection: Identifies web technologies like server types, CMSs, and frameworks.
- TLS and DNS Probing: Fetches SSL certificate information and DNS records.
- HTTP2 and HTTP3 Support: Automatically detects and supports modern HTTP protocols.
- Customizable Output: Supports JSON, CSV, silent output, and extensive filtering.
- Title and Status Code Extraction: Quickly grabs web page titles, status codes, and redirection chains.
- Silent Mode: For piping and clean automation workflows.
- Flexible Filters and Matchers: Fine-tune output based on status codes, words, content length, and more.
- Chainable with Other Tools: Works seamlessly with Subfinder, Naabu, and more for powerful recon automation.
- Rate Limiting and Retries: Manage scanning intensity and handle unstable targets.
Supported Probes
| Probes | Default Check | Probes | Default Check |
|---|---|---|---|
| URL | true | IP | true |
| Title | true | CNAME | true |
| Status Code | true | Raw HTTP | false |
| Content Length | true | HTTP2 | false |
| TLS Certificate | true | HTTP Pipeline | false |
| CSP Header | true | Virtual host | false |
| Line Count | true | Word Count | true |
| Location Header | true | CDN | false |
| Web Server | true | Paths | false |
| Web Socket | true | Ports | false |
| Response Time | true | Request Method | true |
| Favicon Hash | false | Probe Status | false |
| Body Hash | true | Header Hash | true |
| Redirect chain | false | URL Scheme | true |
| JARM Hash | false | ASN | false |
Prerequisites
- Any Linux Distribution
- Internet Connection
- Go compiler
Install HTTPX
Installing the tool using go is really simple and straightforward.
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latestEnsure Go is installed first. Then add $GOPATH/bin to your PATH if needed.
Or use Git via Project Discovery repositories:
git clone https://github.com/projectdiscovery/httpx.git;
cd httpx/cmd/httpx;
go build;
mv httpx /usr/local/bin/;
httpx -v
Basic Usage
- Checking Alive URLs
echo cyberthreatinsider.com | httpx
By default, the tool outputs live/active URLs. A flag is not needed to check the active URL.
- Detecting Web Technologies
cat domains.txt | httpx -tech-detect| Flag | Description |
|---|---|
| -tech-detect | Identify the web technology used to make websites like Apache, Nginx, and WordPress. |
- Fetching Titles, Status Codes, Redirects
cat domains.txt | httpx -title -status-code -follow-redirects| Flag | Description |
|---|---|
| -title | Displays the title of the web page. |
| -status-code | Displays the status code. |
| -follow-redirects | It will follow the redirects. |
| -fc | It will filters the result by the status code together. |
- Text Count
echo "cyberthreatinsider.com" | httpx -lc -wc| Flag | Description |
|---|---|
| -lc | Displays the number of lines of the web page. |
| -wc | Displays the number of words of the web page. |
Advanced Features
- TLS Probing
cat domains.txt | httpx -tls-probe| Flag | Description |
|---|---|
| -tls-probe | Displays the SSL/TLS certificate information. |
- HTTP2/3 Support with No FallBack
This tool supports probing with modern HTTP/2 and HTTP/3 protocols by default when servers support them. This ensures faster and more efficient connections.
If you want to strictly use HTTP/2 or HTTP/3 without falling back to HTTP/1.1 if a server does not support them, use the -no-fallback flag:
cat domains.txt | httpx -http2 -no-fallback
Purpose: This ensures that only targets correctly supporting HTTP/2 or HTTP/3 are interacted with, which is useful for protocol-specific testing and performance analysis.
- Silent Mode and Output Customization
cat domains.txt | httpx -silent -json| Flag | Description |
|---|---|
| -silent | Only raw results, ignore extra text. |
| -output | Write the output to the file. Just need location and file name. |
| -output-all | Save the result in every format. Just need location and file name. |
| -json | Store output in JSON format (ideal and structured format). |
| -csv | Store output in CSV format. |
- Filters and Matches
cat domains.txt | httpx -mc 200| Flag | Description |
|---|---|
| -mc | Matches the response with given status code (Such as 200, 302) |
| -ml | Matches the response with given content length. |
Real-World Practical Example
- Find subdomains
subfinder -d example.com -silent > subs.txtA subfinder is a tool to find subdomains of a website.
- Check live hosts and fetch titles
cat subs.txt | httpx -title -tech-detect -status-code -o ~/Desktop/result.txtQuickly checks the live subdomains out of the subs.txt list.
- Port Scanning with Naabu
naabu -p 21,80 -list result.txt -jsonAutomate full-stack reconnaissance with minimal manual steps.
Common Errors and Troubleshooting
Common Installation Problems
- Missing Go environment: Install Go first.
- PATH issues: Ensure GOPATH/bin is in your system PATH.
Timeout/Connection Issues
- Increase timeout with -timeout 20.
- Adjust retries with -retries 3.
Output Errors
- Use -json or -csv for clean structured output.
- Validate input lists carefully (no empty lines).
Best Practices
How to Use it Safely and Efficiently
- Always have permission or legal scope.
- Limit scan intensity if unsure.
Rate Limiting and Respect for Targets
cat targets.txt | httpx -rate-limit 100
Throttle requests to avoid DoSing servers.
Automation Tips for Larger Scans
- Pipe outputs to files.
- Combine with xargs, jq, or Python scripts for advanced workflows.
Conclusion
HTTPX is a powerhouse for HTTP reconnaissance. It’s fast, lightweight, rich in features, and perfect for security workflows. Whether you’re doing bug bounty recon, internal audits, or mass technology mapping, HTTPX should be a permanent part of your toolkit.
