Browser Setup

Hugin intercepts HTTP/HTTPS traffic by acting as a proxy. You need to (1) point your browser at the proxy and (2) trust the Hugin CA certificate.

🔗Quick Setup (Mullvad Browser)

Open the Browser view in the sidebar and click Launch Mullvad Browser. Hugin automatically:

  1. Creates a temporary Firefox profile with the proxy pre-configured
  2. Imports the Hugin CA certificate
  3. Disables certificate pinning, HSTS preload, and HTTPS-Only Mode
  4. Disables the Mullvad Browser Extension (which would override proxy settings)
  5. Launches the browser in an isolated profile

No manual configuration needed. Your normal Mullvad Browser profile is untouched.

Requirement: certutil must be installed (brew install nss on macOS).

🔗Quick Setup (System-wide CA Trust)

For Chrome, Safari, or any browser that uses the OS trust store, the simplest path is:

hugin ca trust

This installs Hugin’s CA into the system keychain (sudo required). To remove it later:

hugin ca untrust

Then point the browser at 127.0.0.1:8080 (see Configure the Proxy below).

🔗Manual Setup

🔗Step 1: Configure the Proxy

Set your browser to use 127.0.0.1 port 8080 as its HTTP and HTTPS proxy.

🔗Firefox / Mullvad Browser

Settings > Network Settings > Manual Proxy Configuration:

  • HTTP Proxy: 127.0.0.1, Port: 8080
  • Check “Also use this proxy for HTTPS”

🔗Mullvad Browser – Extra Settings

Mullvad Browser requires additional about:config overrides:

  • security.enterprise_roots.enabled = true
  • security.cert_pinning.enforcement_level = 0
  • network.stricttransportsecurity.preloadlist = false
  • dom.security.https_only_mode = false
  • dom.security.https_only_mode_ever_enabled = false
  • dom.security.https_only_mode_pbm = false
  • extensions.torlauncher.start_tor = false
  • extensions.installDistroAddons = false

The Mullvad Browser Extension uses browser.proxy.onRequest to route all traffic through a SOCKS proxy, overriding your manual settings. Disable it via Add-ons > Extensions, or set extensions.installDistroAddons to false.

Mullvad Browser resets prefs.js on each startup. Use user.js in the profile directory for persistent settings.

🔗Chrome / Chromium

Chrome uses system proxy settings. Alternatively, launch with a flag:

chromium --proxy-server="http://127.0.0.1:8080"

🔗macOS System Proxy

System Settings > Network > (your adapter) > Advanced > Proxies:

  • HTTP Proxy: 127.0.0.1:8080
  • HTTPS Proxy: 127.0.0.1:8080

🔗Step 2: Trust the CA Certificate

Hugin generates a CA certificate at ~/.hugin/Hugin-Proxy-CA.pem on first run. Your browser or OS must trust this certificate for HTTPS interception.

You can also download it from http://127.0.0.1:8081/api/ca.pem while Hugin is running.

hugin ca trust

This installs the CA into the system trust store (macOS Keychain, Linux ca-certificates, or Windows Root store). Use hugin ca untrust to reverse.

🔗Manual: macOS (System Keychain)

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ~/.hugin/Hugin-Proxy-CA.pem

🔗Manual: Linux (System-wide)

sudo cp ~/.hugin/Hugin-Proxy-CA.pem /usr/local/share/ca-certificates/hugin-ca.crt
sudo update-ca-certificates

🔗Manual: Windows (Administrator)

certutil -addstore Root %USERPROFILE%\.hugin\Hugin-Proxy-CA.pem

🔗Firefox (Manual Import)

Firefox uses its own certificate store, separate from the OS:

  1. Settings > Privacy & Security > Certificates > View Certificates
  2. Authorities tab > Import
  3. Select ~/.hugin/Hugin-Proxy-CA.pem
  4. Check “Trust this CA to identify websites”

Or via command line with certutil (from NSS tools):

certutil -A -n "Hugin Proxy CA" -t "CT,C,C" \
  -i ~/.hugin/Hugin-Proxy-CA.pem \
  -d "sql:$(find ~/Library/Application\ Support/Firefox/Profiles -name '*.default-release' | head -1)"

🔗Chrome on Linux

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "Hugin CA" \
  -i ~/.hugin/Hugin-Proxy-CA.pem

🔗Verifying the Setup

  1. Start Hugin
  2. Open the configured browser
  3. Visit any HTTPS site (e.g., https://httpbin.org/get)
  4. Check the HTTP History tab in Hugin – you should see the request appear
  5. No certificate warnings should appear in the browser

If you see certificate errors:

  • Verify the CA cert is imported and trusted (hugin doctor runs an end-to-end check)
  • For Mullvad Browser: confirm security.cert_pinning.enforcement_level = 0
  • For HSTS-protected sites: confirm network.stricttransportsecurity.preloadlist = false

🔗Scope

By default, Hugin captures all traffic through the proxy. To limit capture to specific targets, configure scope in the Scopes view within the UI, or edit config.toml:

[scope]
include_hosts = ["*.example.com", "api.target.com"]
exclude_hosts = ["fonts.googleapis.com", "*.analytics.com"]

🔗Mullvad VPN Compatibility

Hugin works alongside Mullvad VPN. Browser traffic routes through the Hugin proxy on localhost, then Hugin’s outbound connections go through the VPN tunnel. Enable split tunneling in the Mullvad app if you experience connectivity issues.