Responses with misleading, excessive, or contradictory headers.
GET/bytes
Returns binary byte payloads with Content-Length or Content-Type lies. Default claims twice as many bytes as it sends, hanging clients that wait for the full declared body. Use ?mode= to isolate other violations.
modeWhich violation to send. One of: content-length-overshoot (default; claims 2× bytes, client hangs waiting for the rest), content-length-undershoot (claims half, extra bytes bleed into next keep-alive response), wrong-content-type (claims image/png, body is random bytes with no PNG magic header).
nNumber of bytes to send in the actual body (1–4096, default 256). The claimed Content-Length deviates from this in overshoot and undershoot modes.
seedInteger seed for deterministic byte generation (default 42). Same seed + same n always produces the same body, useful for comparing chaos vs. not. responses.
Sends contradictory Cache-Control directives. Default bundles three contradictions in one header (no-store with max-age, no-cache with immutable, private with s-maxage). Use ?mode= to test how a specific RFC 9111 conflict is resolved by your cache or proxy.
modeWhich contradiction. One of: all (default), store-vs-age (no-store + max-age=300), cache-vs-immutable (no-cache + immutable), private-vs-shared (private + s-maxage=3600).
Returns responses where Content-Encoding lies about the body's actual compression state, or where the body is gzip-compressed but the header doesn't say so. Tests how clients and proxies handle disagreement between encoding metadata and bytes.
modegzip-header-plain-body (default; Content-Encoding: gzip but body is plain text), gzip-body-no-header (body is actually gzipped but no Content-Encoding header — looks like binary garbage), wrong-encoding-name (Content-Encoding: superzip — unknown), chained-claim (Content-Encoding: gzip, br — multiple encodings claimed, body is plain text).
Returns malformed Set-Cookie headers that real-world clients silently drop, accept differently, or argue about. Ten modes covering SameSite, expiry, prefix, folding, domain, and CHIPS violations.
modeWhich flaw to send. samesite-none-no-secure (default; SameSite=None without Secure, browsers reject), expiry-contradiction (past Expires + future Max-Age), multiple-same-name (three Set-Cookie headers with the same name), bad-path (cookie scoped to a path not served), huge-value (~8KB, over the 4KB limit), host-prefix-violation (__Host- with Domain= set, violates RFC 6265bis), secure-prefix-violation (__Secure- without Secure attribute), comma-folded (two cookies joined in one header with comma, excluded by RFC 6265), domain-overreach (Domain=catastrophic.io from chaos.catastrophic.io subdomain), partitioned-no-secure (Partitioned without Secure, CHIPS requirement violated).
Returns ETag and Last-Modified headers that break HTTP conditional-request semantics. Tests caches, CDNs, and clients that rely on validators.
moderandom-etag (default; different ETag every call for identical content), stable-etag-mutated-body (same ETag, body changes), weak-strong-conflict (both strong and weak ETag headers), unquoted (ETag without required quotes), future-last-modified (Last-Modified in 2099).
Returns N custom response headers. Tests header size limits in clients, proxies, and load balancers. Many stacks reject or silently drop responses above a threshold.
nNumber of X-Chaos-Header-* headers to add. Range: 1–100. Default: 20.
Returns HTTP Range responses that misbehave. Tests clients that rely on partial-content semantics: resumable downloads, video streaming, CDN slicing. Default sends a 206 with the correct Content-Range header but the wrong body bytes.
modeWhich Range violation to send. One of: accepts-range-lies (default; 206 with correct Content-Range header but body bytes offset by 500), ignores-range (Range header present but server returns 200 + full body), bad-multipart (multipart/byteranges with non-monotonic parts — 200-299 before 0-99), stale-if-range (If-Range ETag mismatch, server returns 206 instead of 200 + full body), suffix-confusion (bytes=-N returns first N bytes instead of last N).
Returns a body whose declared Content-Type does not match its actual format. Default sends a JSON body labelled text/html. Other modes mismatch JSON-as-PNG, XML-as-JSON, HTML-as-JSON, or omit the Content-Type entirely. The X-Chaos-Body-Format header exposes the body's real format so clients can detect the mismatch programmatically.
typeMismatch flavor. One of: json-as-html (default), xml-as-json, html-as-json, json-as-png, missing.
Headers that disagree with themselves or with the body. Useful for testing
client and proxy behavior where the spec says “do X” but real implementations
vary.
The /cache-confused directives are all valid individually — the chaos is
in combining them. RFC 9111 has resolution rules; not everyone implements them.