> ## Documentation Index
> Fetch the complete documentation index at: https://hoopdev-docs-improve-idp-sso-pages.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# HTTP Proxy

> Proxy any HTTP/HTTPS service through Hoop with audit logging, credential offloading, and data masking — without exposing it to the public internet.

<ConnectionTemplate
  config={{
"id": "httpproxy",
"name": "HTTP Proxy",
"description": "Proxy any HTTP/HTTPS service through Hoop with audit logging, credential offloading, and data masking — without exposing it to the public internet.",
"category": "web-applications",
"icon-name": "httpproxy",
"tags": [
"web",
"security"
],
"features": {
"tlsTerminationProxy": {
  "native": true,
  "oneOff": false
},
"audit": {
  "native": true,
  "oneOff": false
},
"dataMaskingGoogleDLP": {
  "native": false,
  "oneOff": false
},
"dataMaskingMSPresidio": {
  "native": true,
  "oneOff": false
},
"guardrails": {
  "native": false,
  "oneOff": false
},
"credentialsOffload": {
  "native": true,
  "oneOff": false
},
"interactiveAccess": {
  "native": false,
  "oneOff": false
}
},
"overview": {
"description": "Use the HTTP Proxy connection type to expose any internal HTTP/HTTPS service through Hoop without opening it to the internet. All traffic is routed through the agent, giving you a full audit trail of requests and responses, credential offloading so clients never hold API keys directly, and optional data masking for sensitive payloads. Supports standard HTTP, HTTPS, and WebSocket connections."
},
"setupGuide": {
"accessMethods": {
  "webapp": false,
  "cli": true,
  "native": true,
  "runbooks": false
}
},
"resourceConfiguration": {
"type": "httpproxy",
"subtype": "web-application",
"credentials": [
  {
    "name": "REMOTE_URL",
    "type": "env-var",
    "required": true,
    "description": "The target HTTP/HTTPS URL to proxy requests to",
    "placeholder": "https://internal-api.example.com"
  },
  {
    "name": "HEADER_*",
    "type": "env-var",
    "required": false,
    "description": "Custom headers injected into every proxied request. Use the HEADER_ prefix followed by the header name, e.g. HEADER_AUTHORIZATION=Bearer <token>",
    "placeholder": "HEADER_AUTHORIZATION=Bearer <token>"
  },
  {
    "name": "INSECURE",
    "type": "env-var",
    "required": false,
    "description": "Set to 'true' to skip TLS certificate verification. Useful for services with self-signed certificates.",
    "placeholder": "false"
  }
]
},
"documentationConfig": {
"path": "quickstart/web-applications/http-proxy"
}
}}
/>

## Setup

<Tabs>
  <Tab title="Web App">
    1. In the web app, navigate to **Connections** and click **New Connection**
    2. Select **HTTP Proxy** as the connection type
    3. Choose your agent and give the connection a name
    4. Set `REMOTE_URL` to the target service URL
    5. Click **Save**
  </Tab>

  <Tab title="API">
    Secret values must be base64-encoded. Then POST to `/api/connections`:

    ```bash theme={null}
    curl -X POST https://<gateway>/api/connections \
      -H 'Api-Key: <your-api-key>' \
      -H 'Content-Type: application/json' \
      -d '{
        "name": "my-api",
        "type": "application",
        "subtype": "httpproxy",
        "agent_id": "<agent-id>",
        "secret": {
          "envvar:REMOTE_URL": "<base64-encoded-url>"
        },
        "access_mode_runbooks": "disabled",
        "access_mode_exec": "disabled",
        "access_mode_connect": "enabled",
        "access_schema": "disabled"
      }'
    ```

    Additional environment variables (custom headers, `INSECURE`, etc.) follow the same `"envvar:KEY": "<base64-value>"` pattern in the `secret` object.
  </Tab>
</Tabs>

## Accessing the Connection

When you open a connection via **Connect > Open in Native Client** in the web app, Hoop issues a time-limited session token and provides two ways to use it:

**Authorization header** — for API clients, curl, or any tool that supports custom headers:

```bash theme={null}
curl -H 'Authorization: httpproxy-<token>' https://<host>:<port>/
```

**Token in URL path** — for browsers or tools that can't set headers:

```
https://<host>:<port>/httpproxy-<token>
```

The session expires automatically when the time limit is reached, and the token is revoked.

## Custom Headers

Use `HEADER_*` environment variables to inject headers into every proxied request. This is useful for credential offloading — the client never holds the API key directly.

Add them to the connection's `secret` object using the same `"envvar:KEY": "<base64-value>"` pattern as `REMOTE_URL`:

```json theme={null}
"secret": {
  "envvar:REMOTE_URL": "<base64-encoded-url>",
  "envvar:HEADER_AUTHORIZATION": "<base64-encoded-bearer-token>",
  "envvar:HEADER_X_API_KEY": "<base64-encoded-api-key>"
}
```

You can add as many `HEADER_*` variables as needed. Each becomes a header on every proxied request.

## Self-Signed Certificates

For services with self-signed or internal CA certificates, set `INSECURE=true` to skip TLS verification. Add it to the connection's `secret` object alongside `REMOTE_URL`:

```json theme={null}
"secret": {
  "envvar:REMOTE_URL": "<base64-encoded-url>",
  "envvar:INSECURE": "dHJ1ZQ=="
}
```

(`dHJ1ZQ==` is the base64 encoding of `true`.)

## WebSocket Support

WebSocket connections are supported automatically. When the proxied service returns an HTTP 101 Switching Protocols response, Hoop upgrades the connection transparently — no additional configuration required.