Under Review
Last Updated: 11 Jul 2024 13:19 by Kanchan
Created by: Imported User
Comments: 4
Type: Feature Request
The error messages pops up on Windows 10 version 1703.  Fiddler installs and runs with not issues on Windows 10 version 1607.
Last Updated: 09 Jul 2024 17:53 by Eric

I often have to locally save a lot of responses manually.

My workflow is:
• Open a .saz file

• Search for a particular request

• Save the response locally.


For that, I always have to manually click the "Response body is encoded. Click to decode." Button.

Fiddler Classic doesn't have a feature to automatically decode the selected request's response body.


So if I don't pay attention, and skip a step, I will store an encoded response body, without ever noticing it. Which can cause trouble later, since these files are then sent to my customer. And the customer could randomly check the files.


I need a toggle in Fiddler, that automatically decodes the selected request's response body.

Pending Review
Last Updated: 09 Jul 2024 17:16 by Jeremy

Today, Fiddler exposes these two events to handle scenarios where the user is saving or loading a SAZ file.

        /// fires just before a SAZ file is saved
        public static event EventHandler<WriteSAZEventArgs> OnSaveSAZ;

        /// fires just after a SAZ file is loaded
        public static event EventHandler<ReadSAZEventArgs> OnLoadSAZ;

Equivalent event handlers should be created for the scenario where a user is Importing content into the Sessions list (e.g. using NetLog import or HAR import, etc). Otherwise, developers must undertake cumbersome workarounds to detect that a list of Sessions has been created/loaded from a file import, if, say, they wish to perform processing on those imported Sessions (adding custom properties or changing the display properties in the Session list).

Last Updated: 05 Jun 2024 07:34 by Claudio
Created by: Mihai
Comments: 4
Type: Feature Request

Would really appreciate a proper machine based installation again, user-based installs are difficult to manage in corporate/enterprise environments & the psuedo machine install of redirecting install folder & creating new shortcuts isn't great, especially if as you mention yourself extensions wont work.

I understand the advantage of not needing admin rights to install programs, but surely most of the targeted audience for this application would either A) have admin rights, or B) be in a managed environment with deployment software in use (and potentially white-listing/App Control software preventing unauthorized apps to run anyway)

Last Updated: 16 Apr 2024 06:45 by ADMIN

Hi Team,

We wanted to use Fiddler Classic and when we send for Security Scanning, its flagged as Malicious. From your end, do you have confirmation like it would be false positive. Attached the screenshot where it was flagged as Malicious.


Pending Review
Last Updated: 03 Apr 2024 18:03 by Eric
Created by: TelerikHDMI
Comments: 3
Type: Feature Request

I would be nice if Fiddler could decrypt zstandard compressed requests.

Last Updated: 29 Mar 2024 02:49 by Ryuu

For legacy reasons, Fiddler logs the message "HTTPSLint> Warning: ClientHello record was {0} bytes long. Some servers have problems with ClientHello's greater than 255 bytes"

This message should be removed because at this point, effectively ALL clienthellos are over 500 bytes and basically all servers are okay with it.

(This message was only relevant around 2014 or so when longer clienthellos started becoming common)

Last Updated: 28 Mar 2024 10:43 by ADMIN
Created by: Eric
Comments: 0
Type: Bug Report

When sending post data, -d option needs to ensure that the data does not start with an @



BasicFormats.dll - cURLExport.cs

Last Updated: 28 Mar 2024 10:42 by ADMIN

As noted in the Fiddler book,

Sessions rerouted from one hostname to another using the Host Remapping tool are rendered with a light blue background in the Web Sessions list. HTTPS Sessions that have been rerouted have the X-IgnoreCertCNMismatch and X-OverrideCertCN Session Flags set to avoid raising “Certificate Name Mismatch” errors.

However, there's a bug. In the HostsFile.cs code, there's are several places that look like:

            if (oS.isTunnel) {

                oS["x-overrideCertCN"] = oS.hostname;
                oS["X-IgnoreCertCNMismatch"] = "HOSTS-Ext";

This usually works for browser traffic going through Fiddler (because the HTTPS handshake is typically conducted on the CONNECT tunnel). However, it doesn't work (and the user is spammed with cert error warnings) if the traffic is sent from Fiddler itself (e.g. via Composer or using the "Reissue requests" context menu item). 

The code should look like this:

            if (oS.isHTTPS || oS.isTunnel) {

                oS["x-overrideCertCN"] = oS.hostname;
                oS["X-IgnoreCertCNMismatch"] = "HOSTS-Ext";


Last Updated: 28 Mar 2024 06:21 by d
Created by: Eric
Comments: 5
Type: Feature Request

The .NET Framework has added support for TLS/1.3.

We should do the work to enable TLS/1.3 in Fiddler (it's very little additional work to add "Tls1.3" to the options dialog and the underlying code). 

Under Review
Last Updated: 15 Feb 2024 13:41 by ADMIN
Created by: Imported User
Comments: 3
Type: Feature Request
This would be useful to compare a completed working trace versus a non-working trace, side by side and see what the difference in the traces are.
Last Updated: 04 Feb 2024 09:49 by piccolo


I’m developing a .NetFramework extension for Fiddler and am finding an issue with clearing bold, italic, strikethrough on the session text in the session list when using “this.session.RefreshUI()”. I’d like to be able to see these changes occur upon a context menu item click, immediately within Fiddler, without having the reload the sessions or the application. I can see the session flags are removed from the session as expected, but the bold, italic, or strikethrough is not unset.

I’m aware there is an option to Mark, Unmark sessions, but this doesn’t fit integrate closely enough with the extension I am developing or do exactly what I would like.

I seem to have no issues with changing the UI-Backcolor or UI-Color and refreshing for the updates to be immediately seen.

I can set UI-Bold, UI-Italic, UI-Strikethrough, but I cannot unset these with RefreshUI().

Is this a bug? Is the RefreshUI() call not doing something for UI-Bold, UI-Italic & UI-Strikethrough which it does do for UI-BackColor and UI-Color?



Pending Review
Last Updated: 25 Jan 2024 17:38 by Matías

I will be very useful if the font can be configured separately. One font for the composer and results, and the other for the IDE.

If I change the FONT, all the IDE is updated, including the composers, but after RESTARING, the composer has the same font than before

Last Updated: 24 Dec 2023 07:22 by Xriuk
Created by: Xriuk
Comments: 3
Type: Bug Report

Related issue: https://github.com/aws/aws-sdk-net/issues/2567

When sending multiple requests to the same domain, sometimes Fiddler alters the headers (in this case by duplicating the user-agent one), and in this case it causes a fail because a precomputed signature of the request does not match.

Need More Info
Last Updated: 24 Dec 2023 03:00 by Eric

good morning 

i got error while capturing my app to auth.btxo.cn

=== Windows 10 64bit OS==

===Protocols I have enabled: <client>;ssl2;ssl3;tls1.0;tls1.1;tls1.2

====== Message from Fiddler v5.0.20211.51073  for .NET v4.6.1
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
Connection: close

fiddler.network.https> HTTPS handshake to (for #17) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted

Win32 (SChannel) Native Error Code: 0x80090326


Any help ??

Thank you


The fiddler response

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2)
Random: 65 58 47 1D 28 AB A2 68 50 33 C7 75 1E A4 8B F5 9D A6 FB A0 F9 D2 54 FA 93 D5 AE 78 E5 26 7D 89
"Time": 26/07/1985 15:35:49
SessionID: empty
server_name auth.btxo.cn
status_request OCSP - Implicit Responder
supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
signature_algs rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_sha1, dsa_sha1, rsa_pkcs1_sha512, ecdsa_secp521r1_sha512
SessionTicket empty
ALPN http/1.1
extended_master_secret empty
renegotiation_info 00


Last Updated: 27 Nov 2023 10:37 by Niko
Created by: Imported User
Comments: 6
Type: Feature Request
I've attached the raw HTTP response, copied directly from Fiddler. At lOperations[0].lRecords, you'll see that there are 2 records (arrays) and that each record contains 6 items, the last of which is an array. However, when I view the resonse using the JSON filter, the second of these arrays appears to contain only 5 items. I'm sure that the bug has something to do with the fact that the sub-array in the second array is an empty array, but it should display as an empty array, not as if it weren't there at all.
Need More Info
Last Updated: 01 Nov 2023 15:00 by ADMIN

Help menu to check for updates says:

Error retrieving version information

System.IO.InvalidDataException ... Server Resonse Code = 502
    at [encoding error] ...Updater.cs:Line 90

GET /UpdateCheck.aspx?isBeta=False HTTP/1.1 Result 502


v5.0.20211.51073 for .NET 4.6.1
Built: Wednesday, December 15, 2021
64-bit AMD64, VM: 84.0mb, WS: 129.0mb
.NET 4.8 WinNT 10.0.19045.0
Need More Info
Last Updated: 27 Oct 2023 05:48 by ADMIN
I am looking for a way to display the times reported in a trace either as-is or convert to GMT and not the current TZ, without having to change the TZ setting of my own computer. I get far too many traces from all over the world and having the reported time display as it was recorded makes it much easier when I am assembling a report. 
Last Updated: 21 Oct 2023 07:04 by Dan Avni
Created by: Dan Avni
Comments: 2
Type: Feature Request

I have a base64 of a gzip of utf8 bytes of a string - base64(gzip(utg8(string)))

Please add to the TextWizard options in the transform to encode/decode a string to gzip


Won't Fix
Last Updated: 25 Aug 2023 08:14 by ADMIN

Dear Fiddler developers,


I was recently inspecting the Punch In and Clock Out system of our company. After I captured the POST to send the punch in packages, I try to replayed it.

The replay functions returened a valid request. It is still valid even if I export the session into curl of a bat fil. But I got a issue after I copy the code into a bigger automatic code. The server I sent report me a 543 error "Please check the shifts." And the map API returned a UTF-8 wrong decode.


First I thought that this is because the limitation of both Unix and Windows system, I tried to pipe all the satings into the limitation they desire, 520 as I measured in UNIX. But it did not work.

Later on I watch the debug with the bash -x for about an hour, then I realise that you, the Fiddler program actually somehow turn one % into double %%.

After I replace all the %% with single %, everything works fine.


My first doubt is the ChatGPT. But as I was looking through the chat history, the ansewer is no, The problem is somewhere before I ever peate the code to ChatGPT to run. So I regenerated the whole cURL code from Fiddle, and yes this fault is your issue.


Please keep me updated if you fix that problems. Also, maybe I am ingnorant on this common problem. I am just a noob in the holy I.T. stuffs.



1 2 3 4 5 6