Changelog

Technical changes shipped to Quickmock — features, fixes, security hardening. Source-of-truth is the git history; this page is the curated developer-facing view.

2026-07-17 — Admin token per mock

Added

  • Creating a mock now returns a one-time admin token, shown once in a copyable banner on the mock page — save it, because it can't be shown again.
  • Editing a mock, deleting it, or clearing its logs now needs that token: send it as Authorization: Bearer <token>. Reading a mock, its logs, and the live inspector still work by slug alone, no token required.
  • Mocks created before this release keep working without a token until they expire. New guide: Manage mocks from any device.

2026-07-05 — Live inspector, export & import, anti-spam

Added

  • The request inspector streams over Server-Sent Events: new requests appear instantly, with no polling, and the page falls back to polling automatically where SSE is unavailable.
  • Export a mock's config as JSON from its page (no logs, no IPs) and import it on the create form — from a file or pasted text, entirely in your browser. The format matches POST /api/mocks, so exports are replayable via the API.
  • An anti-spam content filter blocks abusive mock creation. Operators can replace the built-in pattern list (QUICKMOCK_SPAM_PATTERNS_FILE), disable it, or allowlist IPs (QUICKMOCK_SPAM_ALLOW_IPS).

2026-06-19 — CORS toggle

Added

  • One checkbox on the create form turns on a permissive, credential-free CORS preset (Access-Control-Allow-Origin: * and friends) and answers OPTIONS preflight with 204 — call a mock from browser JS on any origin, no proxy.
  • New use-case guide: Mock an API with CORS.

2026-06-13 — Use-case guides

Added

  • New /guide section: scenario-first landing pages for common tasks — mock a REST API, test retry logic, simulate flaky or slow APIs, inspect webhooks, return fake data, echo the request. Each page has a ready-to-run curl example; all are listed in the sitemap.
  • Each guide now has a copy button on its curl examples and a one-click Create a mock CTA that opens the home form pre-filled with that recipe's config — method, body, delay, error rate, sequence — ready to submit.

2026-06-11 — Flaky-API simulation

Added

  • Response sequences: a mock can now hold an ordered list of up to 10 extra responses (status + body + headers each) cycled per hit — 1st call → main response, 2nd → step 2, … then loop. Classic retry-logic testing. The position is a shared per-mock counter (Redis, with an in-process fallback), so every caller advances the same sequence.
  • Error rate & delay jitter: a configurable share of requests (0–100%, rolled per request) can answer with an alternate status/body, and the response delay can be a min–max range for random latency jitter instead of a fixed value. All three settings combine, and a new X-Mockapi-Variant response header (default, error, or seq-i/n) shows which branch served each hit. Configurable from the create form (new “Flaky simulation” section) and the API.
  • The “Who built this” section on the home page now links to the maintainer's personal site (deadsquirrel.dev), language-matched per locale.

2026-06-10 — Request echo tokens

Added

  • New request.* dynamic tokens echo the incoming request back into the response body: {{request.method}}, {{request.path}}, {{request.ip}}, {{request.query.id}}, {{request.header.x-request-id}}, {{request.body}}, and JSON dot paths like {{request.body.user.name}}. Values are inserted verbatim and nothing extra is stored — a static mock can now answer with data from the request itself.

Fixed

  • The 2026-05-20 entry below used to display Go-template escaping ({{`…`}}) around every token instead of the token itself — leftover from copying the markup out of an HTML template. Now it shows plain {{faker.uuid}} and friends.

2026-06-08 — Author link

Added

  • Footer credit now links the author name to the maintainer's personal site (deadsquirrel.dev), language-matched per locale, with rel="me" as an identity signal.

2026-05-25 — Site content pass

Added

  • This /changelog page itself, in EN and RU, with hreflang and an entry in sitemap.xml.
  • Home page: a Quick glossary section (Mock API, Endpoint, TTL, Faker token, Content-Type) for readers landing here without context.
  • Home page: a Who built this block with author bio and direct links to GitHub, LinkedIn, Telegram — and a Why I built Quickmock personal-story section, so the page isn't a faceless tool landing.
  • Visible Last updated stamp at the bottom of the home page; dateModified mirrored into the WebApplication JSON-LD so AI crawlers see freshness.

Fixed

  • ?lang=<code> in the URL now actually serves that language. Previously the canonical / hreflang links pointed at ?lang=ru but the resolver only read the cookie and Accept-Language, so a bot following the hreflang link saw English content — the multilingual signal was a lie.

2026-05-23

Security

  • Origin hardening for /m/*: the public mock router now strips request-altering headers a malicious caller could use to confuse downstream proxies, slugs were lengthened (more entropy), and internal error messages are redacted before they reach the wire — no DSN fragments, no stack frames.
  • Language switcher (POST /language) now accepts same-origin absolute Referers, so the redirect-back path works behind reverse proxies that rewrite the Referer header. Cross-origin Referers are still rejected.

Fixed

  • RealIP middleware now trusts X-Forwarded-For / X-Real-IP when the immediate peer is loopback or a private/link-local address. Previously XFF was honored only for loopback peers, so behind Docker Compose every request was attributed to the bridge gateway (e.g. 172.18.0.1) — making creator_ip and request_ip useless and turning the per-IP mock limit into a global one.
  • Mock router now stores incoming request headers with lowercased keys, so request_headers->>'user-agent' works regardless of wire casing.
  • UI: slug examples updated to the new 12-char format; Copy-URL button restored on the mock detail page.

2026-05-21 — UGC disclaimer

Added

  • Footer disclaimer and Terms-of-use modal: mocks are user-generated content, prohibited categories (malware, phishing, CSAM, attack infrastructure) are spelled out, and an abuse-report channel is published.
  • Footer modal stays usable on small viewports — close button is no longer clipped on mobile.

2026-05-20 — Dynamic tokens

Added

  • Faker / now token substitution in response bodies: {{faker.uuid}}, {{faker.email}}, {{faker.name}}, {{now.iso8601}}, plus 18 more (people, IDs, network, text, time). The mock stores the template as-is and renders fresh random values on every hit, so one mock can serve different data per call. Full list lives under Dynamic tokens on the create form.

2026-05-18 — Hardening & quality of life

Fixed

  • Docker Compose deploy now waits for the --wait healthcheck instead of polling /healthz in a shell loop, so deploys no longer print the cosmetic curl: (52) Empty reply while the proxy and Go process finish racing.
  • POSTGRES_PASSWORD example in .env.example now warns against base64-encoded values — pgx's DSN parser chokes on + / = in the password.

2026-05-17 — Initial public release

Added

  • Core mock engine: create, view, edit, delete; all HTTP methods including ANY.
  • Public /m/:slug router with configurable status, body, headers, response delay (0–30 s), and TTL.
  • Live request inspector: HTMX 2-second poll, per-mock counter, clear-logs.
  • cURL import — paste a curl … command to pre-fill the create form.
  • Code snippets on the mock detail page for JavaScript, Python, Go, and PHP.
  • Read-only share preview at /share/:slug with Open Graph tags.
  • Per-IP rate limit (5000 hits / 8 hours) and per-IP active-mock cap (50).
  • 512 KB max response body, enforced by handler and a DB CHECK constraint.
  • Docker Compose stack (app + Postgres + Redis + one-shot migration container) and a bare-metal systemd path.
  • EN + RU localization, language switcher (cookie + Accept-Language).
  • Privacy by design: no third-party JS, no analytics, no fonts CDN; CI enforces this on every build.

Full git history on GitHub →

← Back to home