Body Rewrite
Chute can search and replace content in HTTP request and response bodies using regular expressions or JSONPath expressions. This requires MitM decryption for HTTPS traffic.
Body rewrite rules are defined in the [Body Rewrite] section. Multiple rules can be applied to a single request.
[Body Rewrite]
^https://api\.example\.com/response response regex "old-text" "new-text"
^https://api\.example\.com/request request regex "sensitive" "[redacted]"
^https://api\.example\.com/data jsonpath-response jsonpath $.ads null
Rule Format
Each rule follows this general format:
<URL regex> [direction] <mode> <pattern> <replacement>
Direction
| Keyword | Description |
|---|---|
response |
Apply to response body (default if omitted) |
request |
Apply to request body |
Modes
| Mode | Description |
|---|---|
regex |
Regular expression search-and-replace |
jsonpath-response / jsonpath-request / body-jsonpath-response / body-jsonpath-request |
JSONPath-based modification |
Regex Mode
Performs standard regex find-and-replace on the decoded body text. Uses NSRegularExpression (ICU) with case-insensitive matching. The replacement supports capture group references ($1, $2, etc.).
<URL regex> [response|request] regex <pattern> <replacement>
Example — remove ads from JSON response:
[Body Rewrite]
^https://api\.example\.com/feed response regex "\"ads\":\s*\[.*?\]" "\"ads\":[]"
Example — sanitize request body:
[Body Rewrite]
^https://api\.example\.com/submit request regex "\"password\":\s*\".*?\"" "\"password\":\"[FILTERED]\""
Example — use capture groups to reformat data:
[Body Rewrite]
// Swap "last, first" to "first last"
^https://api\.example\.com/users response regex "\"name\":\s*\"(\\w+),\\s*(\\w+)\"" "\"name\":\"$2 $1\""
Example — rewrite embedded URLs in response body:
[Body Rewrite]
^https://api\.example\.com response regex "https://old-cdn\\.example\\.com" "https://new-cdn.example.com"
Tokens containing spaces must be quoted with double quotes:
[Body Rewrite]
^https://example\.com response regex "old value with spaces" "new value"
To include a literal double quote inside a quoted token, escape it with backslash: \".
JSONPath Mode
Modifies JSON bodies using JSONPath expressions. Supports reading, setting, and deleting values at specific paths.
<URL regex> jsonpath-response|jsonpath-request jsonpath <jsonpath-expression> [value]
Supported JSONPath Syntax
| Expression | Description |
|---|---|
$.key |
Access object property |
$.key.subkey |
Access nested properties |
$[0] |
Access array element by index |
$.key[0].subkey |
Mixed object and array access |
$.items[*].name |
Wildcard: all items in array |
$.*.value |
Wildcard: all properties |
Value Types
| Value | Result |
|---|---|
"string" |
Set to string value |
42 |
Set to integer |
3.14 |
Set to float |
true |
Set to boolean true |
false |
Set to boolean false |
null or omitted |
Delete the path |
Example — set a JSON field:
[Body Rewrite]
^https://api\.example\.com/profile jsonpath-response jsonpath $.user.name "Anonymous"
Example — delete a JSON field:
[Body Rewrite]
^https://api\.example\.com/data jsonpath-response jsonpath $.tracking null
Example — wildcard modification:
[Body Rewrite]
^https://api\.example\.com/list jsonpath-response jsonpath $.items[*].hidden true
Practical Examples
Strip Tracking Parameters from JSON Responses
Remove trackingId and sessionId fields from all API responses:
[Body Rewrite]
^https://api\.example\.com/ jsonpath-response jsonpath $.trackingId null
^https://api\.example\.com/ jsonpath-response jsonpath $.sessionId null
Inject a script tag into HTML responses
Append a custom <script> tag before </body> in all HTML pages:
[Body Rewrite]
^https://www\.example\.com/ response regex "</body>" "<script>console.log('injected')</script></body>"
Redact sensitive fields in request logs
Replace API keys and tokens in outgoing request bodies before they reach the server:
[Body Rewrite]
^https://api\.example\.com/ request regex "\"apiKey\":\s*\"[^\"]+\"" "\"apiKey\":\"[REDACTED]\""
^https://api\.example\.com/ request regex "\"token\":\s*\"[^\"]+\"" "\"token\":\"[REDACTED]\""
Normalize date formats in responses
Replace ISO dates with a shorter format:
[Body Rewrite]
^https://api\.example\.com/ response regex "(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z" "$1/$2/$3 $4:$5"
Disable feature flags in app config
Force all feature flags to false in a configuration endpoint:
[Body Rewrite]
^https://api\.example\.com/config jsonpath-response jsonpath $.features[*].enabled false
Rewrite CDN URLs in cached responses
Replace all references to an old CDN with a new one:
[Body Rewrite]
^https://www\.example\.com/ response regex "https://old-cdn\.example\.com" "https://new-cdn.example.com"
Processing Pipeline
Body rewrite automatically handles:
- Content-Encoding: Supports
gzipanddeflate. Skips unsupported encodings. - Transfer-Encoding: De-chunks chunked transfer encoding before processing.
- Decoding: Decompresses bodies before applying rewrite rules.
- Re-encoding: Re-compresses bodies and updates
Content-Length. RemovesTransfer-Encodingheader.
Max body size for rewrite processing is 128KB by default. Bodies larger than this are passed through without modification.
Notes
- For HTTPS traffic, MitM decryption must be enabled for the matching hostname.
- Regex matching is case-insensitive. The replacement template supports ICU capture group references:
$0(full match),$1(first group),$2(second group), etc. - JSONPath mode only applies if the body is valid JSON.
- Body rewrite rules are applied to the decoded (UTF-8) body text.
- Multiple rules can match and apply to the same request/response (they are applied in the order they are defined).
- When a rule sets or deletes a value via JSONPath that doesn't exist, the body is left unchanged.