Settings

All Hugin configuration that can be changed at runtime lives in the Settings view. Open with Ctrl+, or via the gear icon in the sidebar.

The settings panel is grouped into five categories. Each tab maps directly to a section of ~/.hugin/config.toml, but you can edit visually here without restarting Hugin.

🔗User Settings

🔗Appearance

Sections: Theme, UI Font, Editor Font, Preview, Layout, Custom CSS, Custom JavaScript.

  • Theme — Kanagawa Wave (dark) or Kanagawa Lotus (light)
  • UI Font — picker over the bundled sans-serif options
  • Editor Font — picker over bundled mono fonts (with size control)
  • Preview — live sample of the current theme + font choices
  • Layout — Reset button to clear saved split-pane positions (takes effect next launch)
  • Custom CSS — paste arbitrary CSS that loads after Hugin’s stylesheet
  • Custom JavaScript — paste JS that runs in the desktop UI (advanced; sandbox is the WebView itself)

🔗Shortcuts

A scrollable list of every ShortcutAction and its current binding. Reassign a binding by clicking a row and pressing the new key combo, or reset overrides to defaults. Categories include Global, Navigation, Editing, Dialogs, Repeater, and view-switch shortcuts.

🔗Proxy

🔗Network

Proxy and HTTP/2 configuration — listen addresses, upstream proxy chain (Tor / Burp / Mullvad SOCKS5 presets), per-host proxy rules, HTTP/2 toggle, per-host HTTP version overrides. Backed by the [proxy] and [http2] sections of ~/.hugin/config.toml plus the settings MCP tool’s set_proxy / set_http2 actions.

🔗Certificate

CA certificate and per-host TLS overrides — CA cert/key paths, per-host TLS certificate pinning (per_host_certs), per-host client TLS certs for mTLS (client_certs). Backed by the [ca] and [proxy] sections of config.toml. Export CA via hugin ca export; install/remove from system trust store via hugin ca trust / hugin ca untrust.

🔗Scope Presets

Saved scope configurations you can swap between. Backed by the scope MCP tool’s save_preset / load_preset / list_presets / delete_preset actions. Each preset stores include/exclude host patterns and the scope mode.

🔗Integrations

🔗AI / Assistant

  • Provider — OpenAICompatible / Anthropic / Google
  • Base URL (for OpenAICompatible — defaults to OpenRouter)
  • API key — encrypted at rest using OS keyring or derived key
  • Model — picker with curated list per provider; freeform input for custom models
  • Max tokens per response
  • Temperature
  • Custom system prompt — overrides Hugin’s default agent system prompt
  • Per-task routing — route specific tasks (summarize, classify, draft) to cheaper models
  • Concurrency limitsmax_concurrent_llm, max_concurrent_agents
  • Caching — toggle response caching, set max tokens/day budget
  • Test connection button — sends a one-shot prompt to verify provider reachability

🔗MCP Server

MCP server lifecycle and dynamic-plugin management. The [mcp] config section controls auto_reload (restart MCP when the binary is rebuilt) and poll_interval_secs (binary-change detection cadence). Loaded .dylib / .so / .dll plugins are managed via hugin plugin mcp list / install / remove / dir.

🔗Platforms

  • API tokens for HackerOne, Bugcrowd, YesWeHack, Intigriti
  • Test connection per platform
  • Sync programs — pulls available programs into the Recon views
  • See also the HackerOne and YesWeHugin chapters for platform-specific UIs

🔗Developer

🔗Custom Code

Lua extension and dynamic-plugin developer settings. Extension files live under ~/.hugin/extensions/. Permission grants for guarded Lua APIs (filesystem, network, system commands) and audit-log review live here. See Lua Plugins for the permission model.

🔗Advanced

🔗Data & Import

Database location, body-size cap ([storage].max_body_size), and the Backups controls (auto-backup toggle, interval, retention, manual create / restore / delete).

🔗Scheduled Tasks

  • View, create, pause, delete jobs that run on a cron / interval schedule
  • Job types: scan, intruder run, crawler, ratrace, custom workflow
  • See the Scheduler chapter for full details

🔗Account

License status (Community / Pro / Trial), expiry, device fingerprint, and the Account ID input + Activate button. The trial is auto-claimed by the licensing client on first launch — no separate Start Trial button is needed.

The search box at the top of the settings panel filters tabs by name in real time. Useful when you don’t remember which group a setting lives in.

🔗Saving Changes

Many settings save immediately as you change them. Settings that require a proxy or process restart (network bind addresses, CA paths) are flagged in the UI when you change them.

🔗Per-Project Overrides

Some configuration is per-project rather than global — notably scope and User-Agent. Those live in Projects → project detail; the Settings view shows the global defaults.