Plague Garden

HTTP/gRPC test target for WAAP QA. Click any endpoint below or use the sidebar to start testing.

🔁 Echo

ANY /echo

Mirrors back the request: method, headers, query params, and body.

🪞 Reflect

ANY /reflect

Returns the raw request body as plain text. Useful for XSS and injection rule testing.

🔢 Status Code

GET /status/{code}

Responds with any HTTP status code in the 200–599 range.

📋 Headers

GET /headers

Inspect request headers and inject custom response headers.

📦 Body Size

GET /body

Generate response bodies of configurable size and content-type.

💚 Health Probes

GET /health/live · /health/ready

Kubernetes-style liveness and readiness probe endpoints.

⏱️ Delay

GET /delay/{seconds}

Sleep for up to 30 s then return elapsed time. Tests timeouts and keepalive rules.

↩️ Redirect

GET /redirect/{code}

Issue an HTTP redirect (301/302/303/307/308) to a configurable target URL.

🍪 Cookies

GET /cookies

Inspect request cookies and set new cookies via query params.

📄 Content-Type

GET /content-type/{mime}

Return a response of configurable size with any Content-Type.

💾 Cache

GET /cache

Return a response with configurable Cache-Control headers.

🔀 Dynamic Data

GET /dynamic/{data}

Send data via the URL path and receive it back in the response body.

🌐 API Surface

ANY /api/{subpath}

Simulate any REST API path. Returns subpath + full request details.

🔐 Login / Logout

GET+POST /login · GET /logout

HTML login form with hardcoded credentials for behavioral WAF policy testing.

⚡ AJAX Page

GET /ajax

HTML page that calls /echo via fetch(). Tests WAF JS-initiated request handling.

📃 Static Page

GET /static-page

Fixed static HTML response. Useful for caching rule and WAF static-resource exemption testing.

📤 File Upload

POST /upload

Upload a file via multipart/form-data. Returns metadata — no storage.

📖 OpenAPI Docs

/docs

Full interactive Swagger UI for all endpoints (opens in new tab).

Echo

Mirrors back the full request. Choose a method, add optional headers and body, then send.

Method

GET

POST

PUT

PATCH

DELETE

HEAD

OPTIONS

Custom Request Headers (optional)

Request Body

Content-Type

Body

Reflect

Returns the raw request body as text/plain — nothing else. Useful for XSS and injection WAAP rule testing. Body is capped at 512 bytes.

Method

GET

POST

PUT

PATCH

DELETE

Request Body

Body

Status Code

Request any HTTP status code between 200 and 599. The server responds with that exact code.

Quick Pick

200 OK 201 Created 204 No Content 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 429 Too Many Requests 500 Server Error 502 Bad Gateway 503 Unavailable 504 Gateway Timeout

Or enter a custom code (200 – 599)

/status/200

Headers

Inspect what request headers the server receives. Use the second section to inject custom headers into the response.

Request Headers to Send

Inject into Response (via ?response-Name=Value)

/headers

Body Size

Generate a response body of a specific size and content-type. Useful for throughput and body-inspection rule testing.

Response Size

1.0 KB

Exact size in bytes (0 – 10 000 000)

Content-Type

/body?size=1024&content_type=application%2Foctet-stream

Delay

Sleep for up to 30 seconds then return elapsed time. Useful for timeout and keepalive rule testing.

Delay (seconds, 0 – 30)

/delay/1

Redirect

Issue an HTTP redirect with a given status code. The browser follows by default — disable follow in your HTTP client to inspect the redirect response.

Redirect Code

Target URL

/redirect/302?to=%2Fecho

Inspect cookies sent with the request and set new cookies via ?set-name=value query params.

Set Cookies in Response

/cookies

Content-Type

Return a response of configurable size with any Content-Type. Useful for content-type inspection rules.

MIME Type

Size (bytes)

/content-type/application%2Fjson?size=128

Cache

Return a response with configurable Cache-Control headers.

max-age (seconds)

no-store

/cache?max_age=3600

Dynamic Data

Send data via the URL path and receive it back in the response body as {"data": "..."}.

Data (path segment)

/dynamic/hello

API Surface

Simulate any REST API path. The server returns the matched subpath plus full request details. Useful for WAF API-mode testing.

Method

GET

POST

PUT

PATCH

DELETE

HEAD

OPTIONS

Subpath

/api/v1/users

Request Body

Content-Type

Body

HTML login form backed by hardcoded credentials (admin / admin). Used to test behavioral WAF policies around authentication flows.

Username

Password

AJAX Page

A dedicated HTML page where JavaScript fetch() calls /echo. Tests WAF behavior around JS-initiated XHR/fetch requests.

/ajax

Static Page

Returns a fully static HTML page — no dynamic content. Identical response body on every request. Useful for caching rules and WAF static-resource exemption testing.

/static-page

File Upload

Upload a file via multipart/form-data. The server returns file metadata (name, size, content-type) without persisting the file.

Request Logs

Live view of all HTTP requests received by this server — method, path, status, timing, headers, and request body.

/logs

Health Probes

Kubernetes-style liveness and readiness endpoints. Both return 200 OK when the server is up.