- Published on
Intercepting Claude Code Traffic with Burp Suite
- Authors
- Name
- Avasdream
- @avasdream_
When conducting security research or debugging API interactions, it's often useful to intercept and inspect HTTP traffic. This guide shows how to configure Claude Code to route its traffic through Burp Suite on Windows.
Step 1: Export the Burp CA Certificate
Burp Suite acts as a man-in-the-middle proxy and uses its own CA to sign certificates. Claude Code needs to trust this CA.
- Open Burp Suite and navigate to Proxy → Proxy settings → Import / export CA certificate
- Select Certificate in PEM format and save it as
burp.pem
The file should look like:
-----BEGIN CERTIFICATE-----
MIID...
-----END CERTIFICATE-----
If you exported in DER format instead, convert it to PEM using OpenSSL:
openssl x509 -inform DER -in certificate.der -out burp.pem -outform PEM
Step 2: Configure Claude Code
Add the following environment variables to your settings.json:
{
"env": {
"HTTPS_PROXY": "http://127.0.0.1:8080",
"HTTP_PROXY": "http://127.0.0.1:8080",
"NODE_EXTRA_CA_CERTS": "C:\\path\\to\\burp.pem",
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
}
}
Key points:
HTTPS_PROXY/HTTP_PROXY: Both usehttp://(nothttps://) because the proxy connection itself is plain HTTPNODE_EXTRA_CA_CERTS: Path to the Burp CA certificate in PEM formatNODE_TLS_REJECT_UNAUTHORIZED: Disables certificate validation (required for interception to work reliably)
Where to Place the Settings
Claude Code uses a hierarchical settings system with three possible locations:
| Location | Scope | Use Case |
|---|---|---|
~/.claude/settings.json | All projects | Personal proxy setup that applies everywhere |
.claude/settings.json | Project | Shared team configuration (checked into git) |
.claude/settings.local.json | Project | Personal experimentation (git-ignored) |
For security research, I recommend using .claude/settings.local.json in your project directory. This keeps proxy settings out of version control and prevents accidentally committing sensitive configuration. Claude Code automatically adds this file to .gitignore when created.
If you frequently intercept traffic across multiple projects, ~/.claude/settings.json is more convenient but remember to disable it when not actively researching.
Step 3: Configure Burp Suite
Ensure Burp is listening on the correct interface:
- Go to Proxy → Proxy settings → Proxy listeners
- Verify
127.0.0.1:8080is running (or add it) - Disable Intercept initially (Proxy → Intercept → "Intercept is off") to avoid hanging requests
Step 4: Verify the Setup
Start Claude Code and check Burp's Proxy → HTTP history. You should see requests to api.anthropic.com.
Troubleshooting
| Issue | Solution |
|---|---|
Request timed out | Check Burp is running and Intercept is off |
| No requests in Burp | Verify HTTPS_PROXY uses http://, not https:// |
| Certificate errors | Ensure NODE_TLS_REJECT_UNAUTHORIZED is set to "0" |
| Claude debugging | Start claude with debugging enabled claude -d INFO |
Security Note
This setup disables TLS certificate validation. Only use it in controlled environments for legitimate security research and remove the configuration when not actively intercepting traffic.