These are platform realities and deliberate design tradeoffs — not bugs. Knowing them upfront saves time when something doesn't work as expected.
Certificate pinning
Most commonly hit limitation. Apps that pin certificates or public keys will refuse connections through any MITM proxy — including ProxyHawk — even when the CA is correctly installed and trusted.
What you see: failed TLS, SSL errors, or rows with no response in the traffic list.
Why it happens: certificate pinning is a deliberate security feature — the app only accepts specific known server certificates, rejecting anything else.
The fix: use a debug/development build of the app with pinning disabled, or configure a network security bypass in test environments.
What ProxyHawk can't do: bypass pinning without changes to the app — this is true for all proxy tools, not just ProxyHawk.
Most internal APIs don't pin — you can typically debug staging, development, and internal endpoints freely.
HTTPS requires CA installation
HTTPS traffic shows as an encrypted tunnel until you install and trust the ProxyHawk CA.
Unencrypted HTTP traffic is always visible without any CA setup.
Very large response bodies (e.g. file downloads, video streams) may be truncated in the detail view for performance.
Binary content (images, audio, zip files) is shown as a hex preview, not decoded.
Extremely large payloads may cause the detail pane to show a "preview only" indicator rather than the full body.
The underlying capture is still complete — only the display is capped.
Traffic list vs detail view
The live traffic list uses a compact format for real-time performance — truncated bodies, not all headers.
Clicking a row loads the full stored entry — complete headers, full body, timing data.
If a capture session is very long and entries have been evicted from memory, older rows may show incomplete detail. Export HAR regularly for long sessions.
API Client send behaviour
On macOS, the API Client may execute requests via the system curl binary for TLS compatibility.
This means TLS behaviour matches CLI tools and macOS trust stores — not a mobile device's networking stack.
If you're debugging a TLS issue that only appears on device, compare the captured traffic from the device directly rather than re-running from the API Client.
System proxy & helper
Toggling the macOS system proxy requires a privileged helper installed at first use.
If the helper isn't approved in System Settings → General → Login Items & Extensions, system proxy toggles won't work.
As a workaround, set Wi-Fi proxy manually in macOS Network settings: 127.0.0.1:9090.
Per-app proxy settings (available in most developer tools and browsers) don't require the helper.
macOS only
ProxyHawk is a native macOS app. There is no Windows or Linux version.
Requires macOS 13 (Ventura) or later.
iOS and Android devices are supported as capture targets — they route traffic through the Mac running ProxyHawk.
Free plan limits
The Free plan captures up to 500 requests per day.
SSL/TLS decryption, breakpoints, block rules, scripting, and Map Local / Remote require a Pro or Lifetime plan.
No account or internet connection is required to use the Free plan.
