Testing Options for cxprotect.com

Proxy test suite — endpoint documentation, browser links & curl examples

GET 1. Static File Serving

Serves any static file directly from the web root. Supports HTML, images, PDF, text inline; all other types as forced downloads.

curl Direct: 
curl https://www.cxprotect.com/index.html
curl via Proxy: 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/index.html

POST 2. Single File Upload

Standard HTML multipart/form-data interface for single file uploads. Max 200 MB.

Browser: /upload-form
curl Direct: 
curl -X POST -F "file=@/path/to/file.txt" https://www.cxprotect.com/upload
curl via Proxy: 
curl -x 127.0.0.1:8080 -X POST -F "file=@/path/to/file.txt" https://www.cxprotect.com/upload

POST 3. Multiple File Upload

Upload multiple files simultaneously using the files field name.

Browser: /upload-multiple
curl Direct: 
curl -X POST -F "files=@file1.txt" -F "files=@file2.pdf" https://www.cxprotect.com/upload-multiple
curl via Proxy: 
curl -x 127.0.0.1:8080 -X POST -F "files=@file1.txt" -F "files=@file2.pdf" https://www.cxprotect.com/upload-multiple

POST 4. Direct Binary Upload

Upload raw binary data via request body. Use ?filename= to name the saved file. Tests upload buffer size and DLP rules on raw POST data.

curl Direct: 
curl -X POST --data-binary "@/path/to/file.zip" -H "Content-Type: application/zip" "https://www.cxprotect.com/upload-direct?filename=test.zip"
curl via Proxy: 
curl -x 127.0.0.1:8080 -X POST --data-binary "@/path/to/file.zip" -H "Content-Type: application/zip" "https://www.cxprotect.com/upload-direct?filename=test.zip"

POST 5. Upload Size Limit → 413

Enforces a per-request upload size cap. Returns 413 Payload Too Large if exceeded. Tests how your proxy handles oversized uploads.

/upload-limit/:mb — default 1 MB, max 200 MB.

curl Direct (exceed 1 MB limit): 
curl -X POST -F "file=@large_file.bin" https://www.cxprotect.com/upload-limit/1
curl via Proxy: 
curl -x 127.0.0.1:8080 -X POST -F "file=@large_file.bin" https://www.cxprotect.com/upload-limit/1

GET 6. Directory Listing

Returns a browsable directory listing. Available for /downloads, /malware, /image_store, /uploads, and any folder in the web root.

Browser: /downloads Browser: /uploads Browser: /image_store
curl Direct: 
curl https://www.cxprotect.com/downloads
curl via Proxy: 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/downloads

GET 7. Sample File Downloads

Download real sample files. Supports HTTP Range requests for partial download testing.

curl Direct (Range request): 
curl -H "Range: bytes=0-1048576" https://www.cxprotect.com/downloads/swgaudit.exe -o partial.exe
curl via Proxy: 
curl -x 127.0.0.1:8080 -H "Range: bytes=0-1048576" https://www.cxprotect.com/downloads/swgaudit.exe -o partial.exe

GET 8. Malware / EICAR Files

EICAR test files in various formats for testing ClamAV, SqScan, and custom signature detection.

Browser: /malware
curl Direct: 
curl https://www.cxprotect.com/malware/eicar-test.txt
curl via Proxy (should be blocked): 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/malware/eicar-test.txt
curl via Proxy — custom signature: 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/malware/custom_sig.txt

ANY 9. Echo Request Headers

Returns all request headers as an HTML table. Key for testing X-Forwarded-For, Via, User-Agent stripping, cookie pass-through, and custom injected headers.

Browser: /echo-headers
curl Direct: 
curl -H "X-Custom-Test: hello" https://www.cxprotect.com/echo-headers
curl via Proxy (check X-Forwarded-For and Via): 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/echo-headers

ANY 10. Echo Full Request (JSON)

Returns method, URL, headers, query params, and body as JSON. Useful for request-type identification and content modifier testing.

Browser: /echo-request
curl Direct: 
curl -X POST -H "Content-Type: application/json" -d '{"test":"value"}' https://www.cxprotect.com/echo-request
curl via Proxy: 
curl -x 127.0.0.1:8080 -X POST -H "Content-Type: application/json" -d '{"test":"value"}' https://www.cxprotect.com/echo-request

ANY 11. POST Data Echo

Echoes the POST body back as an HTML page. Tests DLP upload blocking, upload buffer size limits, and content modifier find-and-replace on POST data.

Browser: /post-data
curl Direct (form data): 
curl -X POST -d "username=admin&password=secret" https://www.cxprotect.com/post-data
curl via Proxy (test DLP block): 
curl -x 127.0.0.1:8080 -X POST -H "Content-Type: text/plain" -d "Anonymous Proxy" https://www.cxprotect.com/post-data

GET 12. Set Cookies

Sets multiple test cookies with varying attributes (HttpOnly, SameSite=None, persistent). Tests cookie filter keep/drop rules and elevated privacy (third-party cookie stripping).

Browser: /set-cookie Set custom cookie
curl Direct: 
curl -i https://www.cxprotect.com/set-cookie
curl via Proxy (check Set-Cookie in response): 
curl -x 127.0.0.1:8080 -i https://www.cxprotect.com/set-cookie

GET 13. Cookie Echo

Echoes cookies received in the request as a table. After visiting /set-cookie, check here to see which cookies your proxy forwarded or dropped.

Browser: /cookie-echo
curl Direct (with cookies): 
curl -H "Cookie: session_id=abc123; tracking_id=xyz789" https://www.cxprotect.com/cookie-echo
curl via Proxy: 
curl -x 127.0.0.1:8080 -H "Cookie: session_id=abc123; tracking_id=xyz789" https://www.cxprotect.com/cookie-echo

GET 14. Compressed Data (gzip)

Always returns a Content-Encoding: gzip response regardless of Accept-Encoding. Tests proxy transparent decompression and compress-incoming/outgoing rules.

Browser: /compressed-data
curl Direct: 
curl -H "Accept-Encoding: gzip" --compressed https://www.cxprotect.com/compressed-data
curl via Proxy: 
curl -x 127.0.0.1:8080 -H "Accept-Encoding: gzip" --compressed https://www.cxprotect.com/compressed-data

GET 15. Chunked Transfer Encoding

Sends response in N chunks with a delay between each. No Content-Length header → forces Transfer-Encoding: chunked. Tests chunked response buffering.

Routes: /chunked/:chunks?/:delay_ms? · /transfer-encoding (alias)

Browser: /transfer-encoding Browser: /chunked/10/500
curl Direct: 
curl -N https://www.cxprotect.com/transfer-encoding
curl via Proxy (10 chunks, 500ms gap): 
curl -x 127.0.0.1:8080 -i -N https://www.cxprotect.com/chunked/10/500

GET 16. Trickle / Slow Response

Drips one byte at a time with a configurable delay between each byte. Tests proxy read-timeout, buffer patience, and keepalive timeout.

Route: /trickle/:bytes?/:delay_ms? — defaults: 80 bytes, 100ms delay.

Browser: /trickle Browser: /trickle/50/300
curl Direct: 
curl -N https://www.cxprotect.com/trickle/50/200
curl via Proxy: 
curl -x 127.0.0.1:8080 -N https://www.cxprotect.com/trickle/50/200

GET 17. Content Size Generator

Generates and streams exactly the requested amount of random data. Supports byte suffixes: K = KB, M = MB, G = GB. Max 2 GB.

Tests minimum/maximum content size response profiling and download buffer size limits.

Browser: 100 KB Browser: 1 MB
curl Direct: 
curl https://www.cxprotect.com/content-size/1M -o /dev/null
curl via Proxy (test download buffer): 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/content-size/512M -o /dev/null

GET 18. Large Payload

Streams N megabytes of binary data. Default 1 MB, max 100 MB. Tests proxy buffering, memory limits, and throughput.

Browser: 1 MB Browser: 10 MB
curl Direct: 
curl https://www.cxprotect.com/large-payload/10 -o /dev/null
curl via Proxy: 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/large-payload/50 -o /dev/null

GET 19. Blob Download

Returns random binary data of exactly ?size= bytes as a downloadable blob. Use ?filename= to name it.

Browser: 5 KB blob
curl Direct: 
curl "https://www.cxprotect.com/blob?size=1024&filename=test.bin" -o test.bin
curl via Proxy: 
curl -x 127.0.0.1:8080 "https://www.cxprotect.com/blob?size=1024&filename=test.bin" -o test.bin

GET 20. Simulate Response Delay

Holds the response for N seconds before replying. Tests proxy connect timeout, header timeout, and keepalive timeout thresholds.

Routes: /delay/:seconds? · /simulate_delay/:seconds? (alias). Default 5s, max 60s.

Browser: 5s delay Browser: 10s delay
curl Direct: 
curl https://www.cxprotect.com/simulate_delay/10
curl via Proxy: 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/delay/30

GET 21. HTTP Status Codes

Forces the server to return any status code 100–599. 3xx codes redirect to /status/200.

200 403 404 500 418
curl Direct: 
curl https://www.cxprotect.com/status/500
curl via Proxy: 
curl -x 127.0.0.1:8080 -i https://www.cxprotect.com/status/403

GET 22. No Response Body

Returns a status code with a completely empty body. Tests how the proxy handles bodyless responses (204, 304, 403, etc.).

204 No Content 403 No Body
curl Direct: 
curl -i "https://www.cxprotect.com/no-response?code=204"
curl via Proxy: 
curl -x 127.0.0.1:8080 -i "https://www.cxprotect.com/no-response?code=403"

GET 23. Custom Response Headers

Sets a fixed set of proxy-relevant response headers plus any additional ones you specify via query params. Tests header filter keep/drop/inject policies.

Also echoes back X-Forwarded-For and Via headers received from the proxy.

Browser: /custom-headers Custom headers
curl Direct: 
curl -i "https://www.cxprotect.com/custom-headers?X-Test-Header=myvalue"
curl via Proxy: 
curl -x 127.0.0.1:8080 -i "https://www.cxprotect.com/custom-headers"

GET 24. HTTP Basic Authentication

Requires HTTP Basic Auth. Credentials default to admin / secret. On success, serves the downloads directory listing.

Route: /auth/basic/:user?/:pass? — override credentials in the URL.

Browser: /auth/basic
curl Direct (correct credentials): 
curl -u admin:secret https://www.cxprotect.com/auth/basic
curl via Proxy (test proxy auth handling): 
curl -x 127.0.0.1:8080 -u admin:secret https://www.cxprotect.com/auth/basic
curl Direct (wrong credentials → 401): 
curl -u wronguser:wrongpass https://www.cxprotect.com/auth/basic

GET 25. HTTP Digest Authentication

Requires HTTP Digest Auth (MD5). Fixed credentials: admin / secret. On success, serves the downloads directory listing.

Browser: /auth/digest
curl Direct (digest): 
curl --digest -u admin:secret https://www.cxprotect.com/auth/digest
curl via Proxy: 
curl -x 127.0.0.1:8080 --digest -u admin:secret https://www.cxprotect.com/auth/digest

GET 26. Redirect Chain

Performs N redirects before landing on the final destination. Default 3 hops, max 20. Override status code with ?code=301.

Tests proxy redirect-following, 302 redirect behaviour, and URL encoding through redirect hops.

3 hops (302) 5 hops (301) 10 hops (307)
curl Direct (follow redirects): 
curl -L https://www.cxprotect.com/redirect/5
curl via Proxy: 
curl -x 127.0.0.1:8080 -L "https://www.cxprotect.com/redirect/5?code=301"

GET 27. Drop Connection (TCP)

Immediately destroys the TCP socket — no HTTP response is ever sent. Simulates a hard connection failure or unreachable host. Tests how the proxy handles and reports connection failures.

curl Direct (will fail): 
curl https://www.cxprotect.com/drop-connection
curl via Proxy (proxy should report error): 
curl -x 127.0.0.1:8080 https://www.cxprotect.com/drop-connection

GET 28. CSP Testing Lab

Comprehensive interactive page for testing multiple CSP directives including script-src, img-src, frame-src, and connect-src.

Browser: Launch CSP Lab
curl Direct (check CSP header): 
curl -I https://www.cxprotect.com/testcsp
curl via Proxy: 
curl -x 127.0.0.1:8080 -I https://www.cxprotect.com/testcsp

GET 29. CSP Trusted Types

Page with require-trusted-types-for 'script' enforced. Tests if the proxy strips or modifies CSP headers that would otherwise block DOM injection.

Browser: Launch TT Lab
curl Direct: 
curl -I https://www.cxprotect.com/csp_tt
curl via Proxy: 
curl -x 127.0.0.1:8080 -I https://www.cxprotect.com/csp_tt

POST 30. CSP Violation Reports

Receives browser-sent CSP violation reports (Content-Type: application/csp-report). Stores up to 500 reports. View logged reports in your browser.

View Reports
curl Direct (manual report): 
curl -X POST -H "Content-Type: application/csp-report" \
  -d '{"csp-report":{"document-uri":"https://www.cxprotect.com/testcsp","violated-directive":"script-src"}}' \
  https://www.cxprotect.com/csp_reports
curl via Proxy: 
curl -x 127.0.0.1:8080 -X POST -H "Content-Type: application/csp-report" \
  -d '{"csp-report":{"document-uri":"https://www.cxprotect.com/testcsp","violated-directive":"script-src"}}' \
  https://www.cxprotect.com/csp_reports