Simon Willison’s Weblog: httpjail

Sep 19, 2025

—

Source URL: https://simonwillison.net/2025/Sep/19/httpjail/#atom-everything
Source: Simon Willison’s Weblog
Title: httpjail

Feedly Summary: httpjail
Here’s a promising new (experimental) project in the sandboxing space from Ammar Bandukwala at Coder. httpjail provides a Rust CLI tool for running an individual process against a custom configured HTTP proxy.
The initial goal is to help run coding agents like Claude Code and Codex CLI with extra rules governing how they interact with outside services. From Ammar’s blog post that introduces the new tool, Fine-grained HTTP filtering for Claude Code:

httpjail implements an HTTP(S) interceptor alongside process-level network isolation. Under default configuration, all DNS (udp:53) is permitted and all other non-HTTP(S) traffic is blocked.
httpjail rules are either JavaScript expressions or custom programs. This approach makes them far more flexible than traditional rule-oriented firewalls and avoids the learning curve of a DSL.
Block all HTTP requests other than the LLM API traffic itself:
$ httpjail –js “r.host === ‘api.anthropic.com’" — claude "build something great"

I tried it out using OpenAI’s Codex CLI instead and found this recipe worked:
brew upgrade rust
cargo install httpjail # Drops it in `~/.cargo/bin`
httpjail –js "r.host === ‘chatgpt.com’" — codex

Within that Codex instance the model ran fine but any attempts to access other URLs (e.g. telling it "Use curl to fetch simonwillison.net)" failed at the proxy layer.
This is still at a really early stage but there’s a lot I like about this project. Being able to use JavaScript to filter requests via the –js option is neat (it’s using V8 under the hood), and there’s also a –sh shellscript option which instead runs a shell program passing environment variables that can be used to determine if the request should be allowed.
At a basic level it works by running a proxy server and setting HTTP_PROXY and HTTPS_PROXY environment variables so well-behaving software knows how to route requests.
It can also add a bunch of other layers. On Linux it sets up nftables rules to explicitly deny additional network access. There’s also a –docker-run option which can launch a Docker container with the specified image but first locks that container down to only have network access to the httpjail proxy server.
It can intercept, filter and log HTTPS requests too by generating its own certificate and making that available to the underlying process.
I’m always interested in new approaches to sandboxing, and fine-grained network access is a particularly tricky problem to solve. This looks like a very promising step in that direction – I’m looking forward to seeing how this project continues to evolve.
Via Fine-grained HTTP filtering for Claude Code
Tags: http, javascript, proxies, sandboxing, security, v8, rust, claude-code, codex-cli

AI Summary and Description: Yes

Summary: The text discusses an experimental project called httpjail, which provides a Rust CLI tool aimed at enhancing process-level network isolation and filtering HTTP(S) traffic for coding agents like Claude Code and Codex CLI. It presents a novel approach to sandboxing and fine-grained network access control, making significant strides toward more secure interactions with external services.

Detailed Description:

The httpjail project, created by Ammar Bandukwala at Coder, focuses on improving security through enhanced sandboxing for applications, specifically for coding agents that utilize Large Language Models (LLMs) such as Claude Code and OpenAI’s Codex. The tool embodies several innovative features that will be particularly relevant for professionals in security, compliance, and software engineering.

– **Core Functionality**:
– httpjail acts as an HTTP(S) interceptor and provides process-level network isolation.
– The tool operates under default settings where all DNS traffic is allowed, but all other non-HTTP(S) traffic is denied.

– **Flexible Rules**:
– Users can create their filtering rules using JavaScript or custom programs, making the tool more adaptive compared to traditional firewalls that use static rules.
– An example command demonstrates the blocking of all HTTP requests except for those targeting specific LLM API endpoints.

– **Usage**:
– The author shares a practical experience by testing httpjail with OpenAI’s Codex CLI to filter HTTP requests, illustrating its functionality to block unwanted URLs.

– **Advanced Features**:
– It integrates with Linux systems through nftables, establishing explicit rules to deny additional network access.
– Users can run the tool in a Docker environment, allowing for isolated network access strictly to the httpjail proxy server.
– The tool is capable of intercepting and logging HTTPS requests by generating its SSL certificate for the intercepted traffic.

– **Implications for Security**:
– The project represents a promising development in sandboxing techniques, potentially improving the security posture of software that interacts with various web services.
– This approach may appeal significantly to developers and security professionals interested in protecting applications from unauthorized internet access, thereby reducing risks.

– **Future Prospects**:
– As the project is still in its early stages, there’s potential for further enhancements and developments that could solidify its utility and relevance in the realms of AI security and broader application security landscapes.

Overall, httpjail stands out as a significant tool that could shape how developers address network isolation and security, especially with the increasing reliance on AI and coding agents.

.NET 1 2 2025 3 5 53 a access access control Act actions adaptive advanced age agent agents AI AI security All allow and Anthropic API app Application application security applications Argo Aria art as at ated being Bi Box by C certificate chat ChatGPT CI CIA Claude Claude Code cli co code codex coding coding agent coding agents command compliance Configuration container control core Curl custom D de default default settings demo developer developers development developments DNS Docker Docker container dsl dual e ELF end endpoint endpoints Engineer engineering environment environment variables exp experience External External Services fail fault feature features fetch filtering fine firewall firewalls first for function functionality future future prospects g Gen Go goal GPT grade gs H HR http HTTPS image implications implications for security improving in innovative features Instance inter interaction interactions intern internet internet access inux io Iron IRS isolation J Java JavaScript js k l land language language model language models large large language model large language models Large Language Models (LLMs) learning led level Li Linux llm llms lm Lock logging long low M making man Mode model models N network network access network access control network isolation new no non o of on only ons open openai OPM ops opt oriented oS other out over per point post potential pre pro problem process professionals project proxies proxy ps Q R rate RCE re real red relevance Risk risks Ro RoT Rust s sandbox sandboxing sec secure security security landscape security posture security professionals self server service services settings SHA side Sig Sim Simon Willison software software engineer software engineering solid source space specific SSE SSL system systems T Tags: target tech techniques ted test Testing text the to tool Tor TP traffic trie two UDP UI UK under up upgrade US usage use user Users uth V v8 WAN Ware web web services Well Wi x yt z