Decryption is opt-in per host. By default the proxy passes HTTPS through untouched — you choose which hosts to decrypt by adding them to your SSL-proxy list. Everything else stays an opaque tunnel.
The default: pass through
When an HTTPS connection arrives, the proxy looks at the destination host. If the host isn't on your SSL-proxy list, the proxy never decrypts it — it forwards the encrypted bytes straight through as a raw tunnel. No certificate is minted, nothing is read, and (by default) nothing is logged. This keeps capture focused and avoids breaking traffic you don't care about.
To actually see inside a host's HTTPS traffic, you add it to the SSL-proxy list.
SSL-proxy domains
The list of hosts to decrypt lives in your dashboard settings and is pushed to the proxy live over Realtime — no restart, no waiting. A connection whose host matches the list is decrypted and fully captured (headers, bodies, timing); anything else passes through.
Matching is wildcard-aware:
example.com— exact match only.*.example.com— matchesexample.comand any subdomain at any depth (api.example.com,a.b.example.com).
These are the same semantics the iOS app uses, so a domain list behaves identically across capture clients.
The wider set of controls
Five related settings shape what gets decrypted and what reaches the feed:
| Setting | Effect |
|---|---|
sslProxyDomains | Hosts to decrypt + fully capture. Everything else is a raw tunnel. |
mitmAllHosts | Decrypt every HTTPS host, ignoring the list above. Handy for ad-hoc curl tests without first whitelisting a host. |
inspectAllRequests | For hosts that pass through without decrypting, still emit one log entry per tunnel — host + byte counts only, no headers or body. |
ignoreHosts | Hosts to drop from the feed entirely (same wildcard matching). Silences noise like OCSP/CRL chatter. |
pausedDomains | Force a host to pass through untouched — no decrypt, no logging, no breakpoints. The strongest "leave this alone" switch. |
A few interactions worth knowing:
pausedDomainswins. A paused host is always a raw passthrough, even ifmitmAllHostsis on or it's on the SSL-proxy list. Use it to carve out something you must not touch.mitmAllHostsvsinspectAllRequests. The first decrypts everything; the second only governs whether non-decrypted tunnels still leave a (header-less) trace in the feed. They're independent.ignoreHostsvspausedDomains. Ignored hosts may still be decrypted — they're just kept out of the feed. Paused hosts are never decrypted at all.- The never-MITM list still applies. Apple PKI, the DigiCert responders, and
*.busymate.netalways pass through regardless of any of the above. See Trust the CA.
Per-device or global
Every one of these settings can be set globally or overridden per device. The proxy resolves the effective set for whichever device the traffic belongs to (merging the global defaults, that device's overrides, and any service-group domains), and falls back to the global settings for traffic it can't attribute to a specific device. So you can decrypt one host for just one phone without touching everyone else.
You edit all of this from the dashboard; changes reach the proxy live. Captured bodies are recorded up to a 1 MB cap and decompressed (gzip / brotli / deflate) before being shown.
Scripts run on decrypted hosts only. A script (or a path-precise block rule) can read and mutate a host's traffic only if that host is decrypted — via this list,
mitmAllHosts, or a service group. A raw passthrough host is matched by name only. The proxy-server runs the fullest scripting engine (all decrypted-HTTPS + plain HTTP, 1 MB bodies).
Next
- Scripts — run JavaScript on decrypted requests and responses.
- Breakpoints & resend — pause and edit decrypted traffic, and replay requests.
- External proxy — send egress through an upstream proxy.