Configurable test origin server for tungsten proxy CI testing
size=10MB, content_type=application/pdf,
disposition=attachment, embed_signature=0:4d5a9000, etc.
Tungsten inspects the first 4KB of every body with Magika — Content-Type headers are
irrelevant to detection.
Browser-initiated downloads via anchor tag navigation. Tests tungsten's download detection for Document and NonBrowser request types.
Links for PDF, ZIP, XLSX, EXE, MP4 + custom download builder. Replaces getsamplefiles.com.
Resources meant to be right-clicked and saved. Tests tungsten's SaveAs request kind detection, which always triggers download inspection regardless of MIME type.
Inline PDFs, executables, images. Replaces github.com/mimikatz save-as test.
Programmatic downloads via fetch() with configurable response type: blob, arraybuffer, or ReadableStream. Tests inspection of non-navigation downloads.
Shows transfer speed and size. Replaces github.com/mimikatz XHR test.
Dynamically injects a hidden <iframe> to trigger a download. Tests that tungsten detects and inspects downloads initiated via non-visible iframes (Iframe request type).
Configurable target URL.
Simulates Dropbox/Box/Google Drive. A static <iframe> in the DOM navigates to a download URL. Browser sends Sec-Fetch-Dest: iframe, triggering tungsten's iframe download path and frame-busting download page.
Tests that tungsten correctly intercepts iframe downloads and breaks out to top-level.
Native form POST (multipart or urlencoded) and XHR/fetch upload on a single page. Tests sec-fetch-mode: navigate vs cors classification and upload inspection across all encoding variants.
File, Blob, or generated data. Replaces west-wind.com.
Form with pre-filled sensitive data patterns (SSN, credit card numbers, PII). Tests DLP policy enforcement on application/x-www-form-urlencoded POST bodies.
Replaces dlptest.com.
Client-side File.slice() with concurrent PUT requests. Tests tungsten's inspection of multiplexed chunked uploads with Content-Range headers.
Configurable chunk size and concurrency. Replaces AWS S3 console upload behavior.
Page on one hostname making fetch calls to a different hostname. Tests that proxy auth doesn't break cross-origin requests where browsers restrict cookie sending.
Planned — requires hostname-based routing setup.
Page making fetch calls, loading scripts/images/CSS from the same origin. Tests that proxy auth doesn't interfere with normal same-origin subresource loading.
Planned — requires hostname-based routing setup.
| Method | Path | Description | Key Parameters |
|---|---|---|---|
| GET | /download | Serve configurable response body | size, content_type, disposition, filename, transfer_encoding, content_encoding, embed_signature, trickle_rate |
| POST | /upload | Streaming upload, returns diagnostics | — |
| PUT | /upload | Streaming upload (same as POST) | — |
| POST | /upload/form | Buffered form POST (DLP testing) | — |
| GET | /health | Health check | — |
| Use Case | URL |
|---|---|
| 1MB PDF download | /download?size=1MB&content_type=application/pdf&disposition=attachment&filename=test.pdf |
| 50MB ISO (non-browser) | curl -o test.iso http://<host>/download?size=50MB&content_type=application/x-iso9660-image |
| Embed PE header in body | /download?size=1MB&embed_signature=0:4d5a9000 |
| Chunked transfer | /download?size=5MB&transfer_encoding=chunked |
| Resumable download | curl -C - -o file.bin http://<host>/download?size=100MB |