Match & Replace

~6 min · request/response rewrite · 10 rules Free / Hunter Pro

The short version. Match & Replace rules rewrite traffic in flight — before a request leaves the proxy, or before a response reaches the browser. A rule is a match condition plus a replacement, with regex support. Use it to inject or swap a header on every request, force a value into a body, rewrite a response in a lab, or rewrite WebSocket frames. Configure rules under Settings → Match & replace. Free allows up to 10 active regex rules; unlimited rules are Hunter Pro (Advanced Match & Replace).

01What Match & Replace does

Match & Replace edits traffic as it passes through the proxy. A rule watches for a pattern and substitutes something else — so the change happens automatically, on every matching message, without you opening the request in an editor. It applies to requests on the way out and responses on the way back.

That makes it the right tool whenever you need the same edit applied consistently rather than once. Hand-editing in Repeater is for one-off pokes; Match & Replace is for a standing rewrite that holds across an entire browsing session — every request to a host carries your injected header, every copy of a response gets the same patch.

Typical jobs:

Add a header that the client never sends — a debug flag, a tracing ID, a custom X- header an API gates on.
Swap a header value — rewrite a User-Agent, pin an Accept-Language, normalize an Origin.
Force a value into a request body or query so the server always sees the input you want.
Rewrite a response body in a lab — flip a feature flag, change a returned value, expand what the client renders.
Neutralize a client-side control during authorized testing — strip a response field or rewrite a script-driven gate that only lives in the browser.
Rewrite WebSocket messages — the same match/replace logic applies to decoded WS frames.

Match & Replace alters live traffic. Only run rewrite rules against systems you are authorized to test — a rule that strips a control or forces a value changes what the application actually receives and returns.

02Where to configure it

Open Settings from the sidebar, then the Match & replace section. Every rule for the current project lives here. Rules are evaluated against traffic flowing through the proxy, so the listener has to be running for them to take effect — see Getting started if you haven't set the proxy up yet.

Two things worth knowing before you build rules:

Rules are toggleable. Each rule is independently active or inactive — the cap (below) counts active rules, so you can keep a library of rules around and switch on only the ones a given engagement needs.
Scope still applies. Rewrites ride on proxy traffic, so pairing rules with a tight Target scope keeps a rewrite from touching hosts outside your engagement.

03Anatomy of a rule

Every rule is two halves: a match condition (what to look for, and where) and a replacement (what to put in its place). The match supports regex, so you can capture and reuse parts of what you matched rather than hard-coding a literal string.

When you create a rule you choose the part of the message it targets — broadly, a header versus a body, on the request or the response side:

Target	Use it to
Request header	Add a header that isn't present, or rewrite the value of one that is, before the request is sent.
Request body	Match a substring in the outbound body and substitute a value.
Response header	Add or rewrite a header on the way back to the browser (for example, loosen or strip one a client reacts to).
Response body	Match and replace text in the returned body — flip a flag, change a value, alter what the page renders.

A rule with an empty match and a header target is how you add a header that was never there; a rule with both a match and a replacement rewrites what it finds. Leaving the replacement empty deletes the matched text. Because the match is a regex, anchor it (^, $, word boundaries) when you need precision — a loose pattern can hit more than you intended.

Match & Replace operates on the raw message, not a parsed model. If you rewrite a body, remember the server still validates it — a rewrite that changes a body's length where a framework recomputes Content-Length for you is fine, but a hand-set length that no longer matches is not.

04Inject or swap a header

The most common use. Say an API only returns the verbose error body when it sees an internal debug header that the client never sends. Add a request header rule with an empty match and the header as the replacement, and it rides on every request through the proxy:

# request-header rule — add a header that wasn't there
match:        (empty)
replacement:  X-Debug: 1

To swap a value instead of adding one, match the existing header line and rewrite it. A capture group lets you keep the part you don't want to touch — here, normalize every User-Agent to a fixed string:

# request-header rule — replace the User-Agent value
match:        ^User-Agent:.*$
replacement:  User-Agent: crusader-test/1.0

Response-header rules work the same way on the return path. A practical one in a lab: rewrite a permissive header a client trusts, or drop a header the browser uses to enforce behavior, so you can observe what the application does without it.

Auth material is still auth material. Injecting an Authorization or Cookie header with a static value via Match & Replace works, but for anything you'll reuse across tabs and tools, a saved Identity is the cleaner home — it's host-scoped and scope-aware.

05Force a value / rewrite a body

Body rules match text inside the request or response payload. On the request side, use them to force an input the server should always see — pin a parameter, override a flag the client computes, or substitute a value into a JSON field:

# request-body rule — force a parameter value
match:        "role"\s*:\s*"user"
replacement:  "role": "admin"

On the response side, body rewrites are a lab technique: change what the application hands the client so you can test how the front end behaves with values the server wouldn't normally return. Flip a boolean a feature gate reads, or rewrite a returned field:

# response-body rule — flip a client-side feature flag (lab)
match:        "isAdmin"\s*:\s*false
replacement:  "isAdmin": true

This is the heart of neutralizing a client-side control: when a gate is enforced only in the browser — a disabled button, a hidden section, a flag the JS checks — a response-body rule rewrites the value the client sees and the gate opens. It proves whether the control is real (enforced server-side) or cosmetic. If the server re-checks, your forced value bounces; that result is itself the finding.

Forcing values and rewriting responses changes live application behavior. Keep it to authorized targets, and prefer a tight scope so a broad regex doesn't rewrite traffic to an unrelated host.

06Rewrite WebSocket frames

Match & Replace isn't limited to HTTP. Crusader captures and bridges WebSocket connections and decodes their frames, and a WebSocket Match & Replace variant rewrites those messages in flight — the same match-condition-plus-replacement model, applied to decoded WS frames as they pass between client and server.

That covers the apps where the interesting traffic moves over a socket after the initial handshake — live dashboards, chat, trading and gaming front ends, anything that pushes JSON over WS. Rewrite an outbound frame to force a value the server receives, or rewrite an inbound frame to change what the client renders, exactly as you would with an HTTP body.

For one-off, interactive WS edits, Crusader also has WebSocket interception — hold and edit individual client→server / server→client frames (in-scope only). Match & Replace is the standing-rule counterpart: it rewrites matching frames automatically instead of pausing each one. (WebSocket-over-HTTP/2, RFC 8441, is out of scope.)

07Limits, tiers & the CLI

Match & Replace is a Free feature, capped at 10 active regex rules. That's enough for a focused engagement — a handful of header injections and a body rewrite or two. Toggle rules off to stay under the cap while keeping the rest of your library on hand.

Unlimited rules are part of Hunter Pro (the Advanced Match & Replace capability). If you maintain a large standing rule set across many hosts, or hit the cap mid-engagement, that's the upgrade. Everything else — regex, request/response targeting, WebSocket rewriting — is available on Free within the 10-rule limit.

Rules are also reachable from the command line for scripted and agent-driven setups:

# manage Match & Replace rules from the CLI (alias: mr)
crusader match-replace --help
crusader mr --help

Like every Crusader CLI verb, it prints JSON to stdout, so it's safe to pipe in scripts.

Capability	Tier
Request / response rewrite rules	Free
Regex matching	Free
WebSocket frame rewriting	Free
Up to 10 active rules	Free
Unlimited active rules (Advanced Match & Replace)	Hunter Pro

Target scope → Repeater → Getting started →

Want a guide that isn't here yet? Email hello@crusaderproxy.com.