Changelog
Technical changes shipped to Quickmock — features, fixes, security hardening. Source-of-truth is the git history; this page is the curated developer-facing view.
2026-07-17 — Admin token per mock
Added
- Creating a mock now returns a one-time admin token, shown once in a copyable banner on the mock page — save it, because it can't be shown again.
- Editing a mock, deleting it, or clearing its logs now needs that token: send it as
Authorization: Bearer <token>. Reading a mock, its logs, and the live inspector still work by slug alone, no token required.
- Mocks created before this release keep working without a token until they expire. New guide: Manage mocks from any device.
2026-07-05 — Live inspector, export & import, anti-spam
Added
- The request inspector streams over Server-Sent Events: new requests appear instantly, with no polling, and the page falls back to polling automatically where SSE is unavailable.
- Export a mock's config as JSON from its page (no logs, no IPs) and import it on the create form — from a file or pasted text, entirely in your browser. The format matches
POST /api/mocks, so exports are replayable via the API.
- An anti-spam content filter blocks abusive mock creation. Operators can replace the built-in pattern list (
QUICKMOCK_SPAM_PATTERNS_FILE), disable it, or allowlist IPs (QUICKMOCK_SPAM_ALLOW_IPS).
Added
- One checkbox on the create form turns on a permissive, credential-free CORS preset (
Access-Control-Allow-Origin: * and friends) and answers OPTIONS preflight with 204 — call a mock from browser JS on any origin, no proxy.
- New use-case guide: Mock an API with CORS.
2026-06-13 — Use-case guides
Added
- New /guide section: scenario-first landing pages for common tasks — mock a REST API, test retry logic, simulate flaky or slow APIs, inspect webhooks, return fake data, echo the request. Each page has a ready-to-run curl example; all are listed in the sitemap.
- Each guide now has a copy button on its curl examples and a one-click Create a mock CTA that opens the home form pre-filled with that recipe's config — method, body, delay, error rate, sequence — ready to submit.
2026-06-11 — Flaky-API simulation
Added
- Response sequences: a mock can now hold an ordered list of up to 10 extra responses (status + body + headers each) cycled per hit — 1st call → main response, 2nd → step 2, … then loop. Classic retry-logic testing. The position is a shared per-mock counter (Redis, with an in-process fallback), so every caller advances the same sequence.
- Error rate & delay jitter: a configurable share of requests (0–100%, rolled per request) can answer with an alternate status/body, and the response delay can be a min–max range for random latency jitter instead of a fixed value. All three settings combine, and a new
X-Mockapi-Variant response header (default, error, or seq-i/n) shows which branch served each hit. Configurable from the create form (new “Flaky simulation” section) and the API.
- The “Who built this” section on the home page now links to the maintainer's personal site (deadsquirrel.dev), language-matched per locale.
2026-06-10 — Request echo tokens
Added
- New
request.* dynamic tokens echo the incoming request back into the response body: {{request.method}}, {{request.path}}, {{request.ip}}, {{request.query.id}}, {{request.header.x-request-id}}, {{request.body}}, and JSON dot paths like {{request.body.user.name}}. Values are inserted verbatim and nothing extra is stored — a static mock can now answer with data from the request itself.
Fixed
- The 2026-05-20 entry below used to display Go-template escaping (
{{`…`}}) around every token instead of the token itself — leftover from copying the markup out of an HTML template. Now it shows plain {{faker.uuid}} and friends.
Added
- Footer credit now links the author name to the maintainer's personal site (deadsquirrel.dev), language-matched per locale, with
rel="me" as an identity signal.
2026-05-25 — Site content pass
Added
- This /changelog page itself, in EN and RU, with hreflang and an entry in
sitemap.xml.
- Home page: a Quick glossary section (Mock API, Endpoint, TTL, Faker token, Content-Type) for readers landing here without context.
- Home page: a Who built this block with author bio and direct links to GitHub, LinkedIn, Telegram — and a Why I built Quickmock personal-story section, so the page isn't a faceless tool landing.
- Visible Last updated stamp at the bottom of the home page;
dateModified mirrored into the WebApplication JSON-LD so AI crawlers see freshness.
Fixed
?lang=<code> in the URL now actually serves that language. Previously the canonical / hreflang links pointed at ?lang=ru but the resolver only read the cookie and Accept-Language, so a bot following the hreflang link saw English content — the multilingual signal was a lie.
Security
- Origin hardening for
/m/*: the public mock router now strips request-altering headers a malicious caller could use to confuse downstream proxies, slugs were lengthened (more entropy), and internal error messages are redacted before they reach the wire — no DSN fragments, no stack frames.
- Language switcher (
POST /language) now accepts same-origin absolute Referers, so the redirect-back path works behind reverse proxies that rewrite the Referer header. Cross-origin Referers are still rejected.
Fixed
- RealIP middleware now trusts
X-Forwarded-For / X-Real-IP when the immediate peer is loopback or a private/link-local address. Previously XFF was honored only for loopback peers, so behind Docker Compose every request was attributed to the bridge gateway (e.g. 172.18.0.1) — making creator_ip and request_ip useless and turning the per-IP mock limit into a global one.
- Mock router now stores incoming request headers with lowercased keys, so
request_headers->>'user-agent' works regardless of wire casing.
- UI: slug examples updated to the new 12-char format; Copy-URL button restored on the mock detail page.
2026-05-21 — UGC disclaimer
Added
- Footer disclaimer and Terms-of-use modal: mocks are user-generated content, prohibited categories (malware, phishing, CSAM, attack infrastructure) are spelled out, and an abuse-report channel is published.
- Footer modal stays usable on small viewports — close button is no longer clipped on mobile.
2026-05-20 — Dynamic tokens
Added
- Faker / now token substitution in response bodies:
{{faker.uuid}}, {{faker.email}}, {{faker.name}}, {{now.iso8601}}, plus 18 more (people, IDs, network, text, time). The mock stores the template as-is and renders fresh random values on every hit, so one mock can serve different data per call. Full list lives under Dynamic tokens on the create form.
2026-05-18 — Hardening & quality of life
Fixed
- Docker Compose deploy now waits for the
--wait healthcheck instead of polling /healthz in a shell loop, so deploys no longer print the cosmetic curl: (52) Empty reply while the proxy and Go process finish racing.
POSTGRES_PASSWORD example in .env.example now warns against base64-encoded values — pgx's DSN parser chokes on + / = in the password.
2026-05-17 — Initial public release
Added
- Core mock engine: create, view, edit, delete; all HTTP methods including
ANY.
- Public
/m/:slug router with configurable status, body, headers, response delay (0–30 s), and TTL.
- Live request inspector: HTMX 2-second poll, per-mock counter, clear-logs.
- cURL import — paste a
curl … command to pre-fill the create form.
- Code snippets on the mock detail page for JavaScript, Python, Go, and PHP.
- Read-only share preview at
/share/:slug with Open Graph tags.
- Per-IP rate limit (5000 hits / 8 hours) and per-IP active-mock cap (50).
- 512 KB max response body, enforced by handler and a DB
CHECK constraint.
- Docker Compose stack (app + Postgres + Redis + one-shot migration container) and a bare-metal systemd path.
- EN + RU localization, language switcher (cookie + Accept-Language).
- Privacy by design: no third-party JS, no analytics, no fonts CDN; CI enforces this on every build.
Full git history on GitHub →
← Back to home