From 89141afd3bf5d82f7b0283376bac0be64dce29bc Mon Sep 17 00:00:00 2001
From: David Stotijn <dstotijn@gmail.com>
Date: Mon, 21 Mar 2022 10:33:11 +0100
Subject: [PATCH] Add intercept response filter

---
 .../projects/graphql/activeProject.graphql    |   4 +-
 .../features/reqlog/components/Actions.tsx    |   2 +-
 .../features/settings/components/Settings.tsx | 141 ++++++++++++---
 .../graphql/updateInterceptSettings.graphql   |   4 +-
 admin/src/lib/graphql/generated.tsx           |  20 ++-
 pkg/api/generated.go                          | 146 ++++++++++++++--
 pkg/api/models_gen.go                         |  12 +-
 pkg/api/resolvers.go                          |  35 +++-
 pkg/api/schema.graphql                        |   8 +-
 pkg/proj/proj.go                              |  22 ++-
 pkg/proxy/intercept/filter.go                 | 165 ++++++++++++++++++
 pkg/proxy/intercept/intercept.go              |  73 ++++----
 pkg/proxy/intercept/intercept_test.go         |  15 +-
 pkg/proxy/intercept/settings.go               |   6 +-
 pkg/reqlog/reqlog.go                          |  16 +-
 15 files changed, 556 insertions(+), 113 deletions(-)

diff --git a/admin/src/features/projects/graphql/activeProject.graphql b/admin/src/features/projects/graphql/activeProject.graphql
index 4327af0..4aa3711 100644
--- a/admin/src/features/projects/graphql/activeProject.graphql
+++ b/admin/src/features/projects/graphql/activeProject.graphql
@@ -5,8 +5,10 @@ query ActiveProject {
     isActive
     settings {
       intercept {
-        enabled
+        requestsEnabled
+        responsesEnabled
         requestFilter
+        responseFilter
       }
     }
   }
diff --git a/admin/src/features/reqlog/components/Actions.tsx b/admin/src/features/reqlog/components/Actions.tsx
index bc16d7b..e95e1f7 100644
--- a/admin/src/features/reqlog/components/Actions.tsx
+++ b/admin/src/features/reqlog/components/Actions.tsx
@@ -29,7 +29,7 @@ function Actions(): JSX.Element {
 
       {clearLogsResult.error && <Alert severity="error">Failed to clear HTTP logs: {clearLogsResult.error}</Alert>}
 
-      {activeProject?.settings.intercept.enabled && (
+      {(activeProject?.settings.intercept.requestsEnabled || activeProject?.settings.intercept.responsesEnabled) && (
         <Link href="/proxy/intercept/?id=" passHref>
           <Button
             variant="contained"
diff --git a/admin/src/features/settings/components/Settings.tsx b/admin/src/features/settings/components/Settings.tsx
index abd6eb8..06fb56e 100644
--- a/admin/src/features/settings/components/Settings.tsx
+++ b/admin/src/features/settings/components/Settings.tsx
@@ -11,6 +11,7 @@ import {
   Switch,
   Tab,
   TextField,
+  TextFieldProps,
   Typography,
 } from "@mui/material";
 import { SwitchBaseProps } from "@mui/material/internal/SwitchBase";
@@ -25,6 +26,26 @@ enum TabValue {
   Intercept = "intercept",
 }
 
+function FilterTextField(props: TextFieldProps): JSX.Element {
+  return (
+    <TextField
+      color="primary"
+      variant="outlined"
+      InputProps={{
+        sx: { fontFamily: "'JetBrains Mono', monospace" },
+        autoCorrect: "false",
+        spellCheck: "false",
+      }}
+      InputLabelProps={{
+        shrink: true,
+      }}
+      margin="normal"
+      sx={{ mr: 1 }}
+      {...props}
+    />
+  );
+}
+
 export default function Settings(): JSX.Element {
   const client = useApolloClient();
   const activeProject = useActiveProject();
@@ -41,16 +62,22 @@ export default function Settings(): JSX.Element {
       }));
 
       setInterceptReqFilter(data.updateInterceptSettings.requestFilter || "");
+      setInterceptResFilter(data.updateInterceptSettings.responseFilter || "");
     },
   });
 
   const [interceptReqFilter, setInterceptReqFilter] = useState("");
+  const [interceptResFilter, setInterceptResFilter] = useState("");
 
   useEffect(() => {
     setInterceptReqFilter(activeProject?.settings.intercept.requestFilter || "");
   }, [activeProject?.settings.intercept.requestFilter]);
 
-  const handleInterceptEnabled: SwitchBaseProps["onChange"] = (e, checked) => {
+  useEffect(() => {
+    setInterceptResFilter(activeProject?.settings.intercept.responseFilter || "");
+  }, [activeProject?.settings.intercept.responseFilter]);
+
+  const handleReqInterceptEnabled: SwitchBaseProps["onChange"] = (e, checked) => {
     if (!activeProject) {
       e.preventDefault();
       return;
@@ -60,7 +87,23 @@ export default function Settings(): JSX.Element {
       variables: {
         input: {
           ...withoutTypename(activeProject.settings.intercept),
-          enabled: checked,
+          requestsEnabled: checked,
+        },
+      },
+    });
+  };
+
+  const handleResInterceptEnabled: SwitchBaseProps["onChange"] = (e, checked) => {
+    if (!activeProject) {
+      e.preventDefault();
+      return;
+    }
+
+    updateInterceptSettings({
+      variables: {
+        input: {
+          ...withoutTypename(activeProject.settings.intercept),
+          responsesEnabled: checked,
         },
       },
     });
@@ -81,6 +124,21 @@ export default function Settings(): JSX.Element {
     });
   };
 
+  const handleInterceptResFilter = () => {
+    if (!activeProject) {
+      return;
+    }
+
+    updateInterceptSettings({
+      variables: {
+        input: {
+          ...withoutTypename(activeProject.settings.intercept),
+          responseFilter: interceptResFilter,
+        },
+      },
+    });
+  };
+
   const [tabValue, setTabValue] = useState(TabValue.Intercept);
 
   const tabSx = {
@@ -111,16 +169,19 @@ export default function Settings(): JSX.Element {
             </TabList>
 
             <TabPanel value={TabValue.Intercept} sx={{ px: 0 }}>
-              <FormControl>
+              <Typography variant="h6" sx={{ mt: 3, mb: 1 }}>
+                Requests
+              </Typography>
+              <FormControl sx={{ mb: 2 }}>
                 <FormControlLabel
                   control={
                     <Switch
                       disabled={updateIntercepSettingsResult.loading}
-                      onChange={handleInterceptEnabled}
-                      checked={activeProject.settings.intercept.enabled}
+                      onChange={handleReqInterceptEnabled}
+                      checked={activeProject.settings.intercept.requestsEnabled}
                     />
                   }
-                  label="Enable proxy interception"
+                  label="Enable request interception"
                   labelPlacement="start"
                   sx={{ display: "inline-block", m: 0 }}
                 />
@@ -129,28 +190,13 @@ export default function Settings(): JSX.Element {
                   <Link href="/proxy/intercept">manual review</Link>.
                 </FormHelperText>
               </FormControl>
-              <Typography variant="h6" sx={{ mt: 3 }}>
-                Rules
-              </Typography>
               <form>
                 <FormControl sx={{ width: "50%" }}>
-                  <TextField
+                  <FilterTextField
                     label="Request filter"
-                    placeholder={`method = "GET" OR url =~ "/foobar"`}
-                    color="primary"
-                    variant="outlined"
+                    placeholder={`Example: method = "GET" OR url =~ "/foobar"`}
                     value={interceptReqFilter}
                     onChange={(e) => setInterceptReqFilter(e.target.value)}
-                    InputProps={{
-                      sx: { fontFamily: "'JetBrains Mono', monospace" },
-                      autoCorrect: "false",
-                      spellCheck: "false",
-                    }}
-                    InputLabelProps={{
-                      shrink: true,
-                    }}
-                    margin="normal"
-                    sx={{ mr: 1 }}
                   />
                   <FormHelperText>
                     Filter expression to match incoming requests on. When set, only matching requests are intercepted.
@@ -172,6 +218,55 @@ export default function Settings(): JSX.Element {
                   Update
                 </Button>
               </form>
+              <Typography variant="h6" sx={{ mt: 3 }}>
+                Responses
+              </Typography>
+              <FormControl sx={{ mb: 2 }}>
+                <FormControlLabel
+                  control={
+                    <Switch
+                      disabled={updateIntercepSettingsResult.loading}
+                      onChange={handleResInterceptEnabled}
+                      checked={activeProject.settings.intercept.responsesEnabled}
+                    />
+                  }
+                  label="Enable response interception"
+                  labelPlacement="start"
+                  sx={{ display: "inline-block", m: 0 }}
+                />
+                <FormHelperText>
+                  When enabled, HTTP responses received by the proxy are stalled for{" "}
+                  <Link href="/proxy/intercept">manual review</Link>.
+                </FormHelperText>
+              </FormControl>
+              <form>
+                <FormControl sx={{ width: "50%" }}>
+                  <FilterTextField
+                    label="Response filter"
+                    placeholder={`Example: statusCode =~ "^2" OR body =~ "foobar"`}
+                    value={interceptResFilter}
+                    onChange={(e) => setInterceptResFilter(e.target.value)}
+                  />
+                  <FormHelperText>
+                    Filter expression to match received responses on. When set, only matching responses are intercepted.
+                  </FormHelperText>
+                </FormControl>
+                <Button
+                  type="submit"
+                  variant="text"
+                  color="primary"
+                  size="large"
+                  sx={{
+                    mt: 2,
+                    py: 1.8,
+                  }}
+                  onClick={handleInterceptResFilter}
+                  disabled={updateIntercepSettingsResult.loading}
+                  startIcon={updateIntercepSettingsResult.loading ? <CircularProgress size={22} /> : undefined}
+                >
+                  Update
+                </Button>
+              </form>
             </TabPanel>
           </TabContext>
         </>
diff --git a/admin/src/features/settings/graphql/updateInterceptSettings.graphql b/admin/src/features/settings/graphql/updateInterceptSettings.graphql
index 0bcf99f..ea9c516 100644
--- a/admin/src/features/settings/graphql/updateInterceptSettings.graphql
+++ b/admin/src/features/settings/graphql/updateInterceptSettings.graphql
@@ -1,6 +1,8 @@
 mutation UpdateInterceptSettings($input: UpdateInterceptSettingsInput!) {
   updateInterceptSettings(input: $input) {
-    enabled
+    requestsEnabled
+    responsesEnabled
     requestFilter
+    responseFilter
   }
 }
diff --git a/admin/src/lib/graphql/generated.tsx b/admin/src/lib/graphql/generated.tsx
index 6cd3ed7..c64dcbf 100644
--- a/admin/src/lib/graphql/generated.tsx
+++ b/admin/src/lib/graphql/generated.tsx
@@ -135,8 +135,10 @@ export type HttpResponseLog = {
 
 export type InterceptSettings = {
   __typename?: 'InterceptSettings';
-  enabled: Scalars['Boolean'];
   requestFilter?: Maybe<Scalars['String']>;
+  requestsEnabled: Scalars['Boolean'];
+  responseFilter?: Maybe<Scalars['String']>;
+  responsesEnabled: Scalars['Boolean'];
 };
 
 export type ModifyRequestInput = {
@@ -359,8 +361,10 @@ export type SenderRequestInput = {
 };
 
 export type UpdateInterceptSettingsInput = {
-  enabled: Scalars['Boolean'];
   requestFilter?: InputMaybe<Scalars['String']>;
+  requestsEnabled: Scalars['Boolean'];
+  responseFilter?: InputMaybe<Scalars['String']>;
+  responsesEnabled: Scalars['Boolean'];
 };
 
 export type CancelRequestMutationVariables = Exact<{
@@ -401,7 +405,7 @@ export type ModifyResponseMutation = { __typename?: 'Mutation', modifyResponse:
 export type ActiveProjectQueryVariables = Exact<{ [key: string]: never; }>;
 
 
-export type ActiveProjectQuery = { __typename?: 'Query', activeProject?: { __typename?: 'Project', id: string, name: string, isActive: boolean, settings: { __typename?: 'ProjectSettings', intercept: { __typename?: 'InterceptSettings', enabled: boolean, requestFilter?: string | null } } } | null };
+export type ActiveProjectQuery = { __typename?: 'Query', activeProject?: { __typename?: 'Project', id: string, name: string, isActive: boolean, settings: { __typename?: 'ProjectSettings', intercept: { __typename?: 'InterceptSettings', requestsEnabled: boolean, responsesEnabled: boolean, requestFilter?: string | null, responseFilter?: string | null } } } | null };
 
 export type CloseProjectMutationVariables = Exact<{ [key: string]: never; }>;
 
@@ -513,7 +517,7 @@ export type UpdateInterceptSettingsMutationVariables = Exact<{
 }>;
 
 
-export type UpdateInterceptSettingsMutation = { __typename?: 'Mutation', updateInterceptSettings: { __typename?: 'InterceptSettings', enabled: boolean, requestFilter?: string | null } };
+export type UpdateInterceptSettingsMutation = { __typename?: 'Mutation', updateInterceptSettings: { __typename?: 'InterceptSettings', requestsEnabled: boolean, responsesEnabled: boolean, requestFilter?: string | null, responseFilter?: string | null } };
 
 export type GetInterceptedRequestsQueryVariables = Exact<{ [key: string]: never; }>;
 
@@ -715,8 +719,10 @@ export const ActiveProjectDocument = gql`
     isActive
     settings {
       intercept {
-        enabled
+        requestsEnabled
+        responsesEnabled
         requestFilter
+        responseFilter
       }
     }
   }
@@ -1381,8 +1387,10 @@ export type GetSenderRequestsQueryResult = Apollo.QueryResult<GetSenderRequestsQ
 export const UpdateInterceptSettingsDocument = gql`
     mutation UpdateInterceptSettings($input: UpdateInterceptSettingsInput!) {
   updateInterceptSettings(input: $input) {
-    enabled
+    requestsEnabled
+    responsesEnabled
     requestFilter
+    responseFilter
   }
 }
     `;
diff --git a/pkg/api/generated.go b/pkg/api/generated.go
index 2b6a609..5a064e3 100644
--- a/pkg/api/generated.go
+++ b/pkg/api/generated.go
@@ -119,8 +119,10 @@ type ComplexityRoot struct {
 	}
 
 	InterceptSettings struct {
-		Enabled       func(childComplexity int) int
-		RequestFilter func(childComplexity int) int
+		RequestFilter    func(childComplexity int) int
+		RequestsEnabled  func(childComplexity int) int
+		ResponseFilter   func(childComplexity int) int
+		ResponsesEnabled func(childComplexity int) int
 	}
 
 	ModifyRequestResult struct {
@@ -510,13 +512,6 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in
 
 		return e.complexity.HTTPResponseLog.StatusReason(childComplexity), true
 
-	case "InterceptSettings.enabled":
-		if e.complexity.InterceptSettings.Enabled == nil {
-			break
-		}
-
-		return e.complexity.InterceptSettings.Enabled(childComplexity), true
-
 	case "InterceptSettings.requestFilter":
 		if e.complexity.InterceptSettings.RequestFilter == nil {
 			break
@@ -524,6 +519,27 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in
 
 		return e.complexity.InterceptSettings.RequestFilter(childComplexity), true
 
+	case "InterceptSettings.requestsEnabled":
+		if e.complexity.InterceptSettings.RequestsEnabled == nil {
+			break
+		}
+
+		return e.complexity.InterceptSettings.RequestsEnabled(childComplexity), true
+
+	case "InterceptSettings.responseFilter":
+		if e.complexity.InterceptSettings.ResponseFilter == nil {
+			break
+		}
+
+		return e.complexity.InterceptSettings.ResponseFilter(childComplexity), true
+
+	case "InterceptSettings.responsesEnabled":
+		if e.complexity.InterceptSettings.ResponsesEnabled == nil {
+			break
+		}
+
+		return e.complexity.InterceptSettings.ResponsesEnabled(childComplexity), true
+
 	case "ModifyRequestResult.success":
 		if e.complexity.ModifyRequestResult.Success == nil {
 			break
@@ -1204,13 +1220,17 @@ type CancelResponseResult {
 }
 
 input UpdateInterceptSettingsInput {
-  enabled: Boolean!
+  requestsEnabled: Boolean!
+  responsesEnabled: Boolean!
   requestFilter: String
+  responseFilter: String
 }
 
 type InterceptSettings {
-  enabled: Boolean!
+  requestsEnabled: Boolean!
+  responsesEnabled: Boolean!
   requestFilter: String
+  responseFilter: String
 }
 
 type Query {
@@ -2861,7 +2881,7 @@ func (ec *executionContext) _HttpResponseLog_headers(ctx context.Context, field
 	return ec.marshalNHttpHeader2ᚕgithubᚗcomᚋdstotijnᚋhettyᚋpkgᚋapiᚐHTTPHeaderᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) _InterceptSettings_enabled(ctx context.Context, field graphql.CollectedField, obj *InterceptSettings) (ret graphql.Marshaler) {
+func (ec *executionContext) _InterceptSettings_requestsEnabled(ctx context.Context, field graphql.CollectedField, obj *InterceptSettings) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
 			ec.Error(ctx, ec.Recover(ctx, r))
@@ -2879,7 +2899,42 @@ func (ec *executionContext) _InterceptSettings_enabled(ctx context.Context, fiel
 	ctx = graphql.WithFieldContext(ctx, fc)
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Enabled, nil
+		return obj.RequestsEnabled, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) _InterceptSettings_responsesEnabled(ctx context.Context, field graphql.CollectedField, obj *InterceptSettings) (ret graphql.Marshaler) {
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	fc := &graphql.FieldContext{
+		Object:     "InterceptSettings",
+		Field:      field,
+		Args:       nil,
+		IsMethod:   false,
+		IsResolver: false,
+	}
+
+	ctx = graphql.WithFieldContext(ctx, fc)
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.ResponsesEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -2928,6 +2983,38 @@ func (ec *executionContext) _InterceptSettings_requestFilter(ctx context.Context
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
+func (ec *executionContext) _InterceptSettings_responseFilter(ctx context.Context, field graphql.CollectedField, obj *InterceptSettings) (ret graphql.Marshaler) {
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	fc := &graphql.FieldContext{
+		Object:     "InterceptSettings",
+		Field:      field,
+		Args:       nil,
+		IsMethod:   false,
+		IsResolver: false,
+	}
+
+	ctx = graphql.WithFieldContext(ctx, fc)
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.ResponseFilter, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
 func (ec *executionContext) _ModifyRequestResult_success(ctx context.Context, field graphql.CollectedField, obj *ModifyRequestResult) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -6302,11 +6389,19 @@ func (ec *executionContext) unmarshalInputUpdateInterceptSettingsInput(ctx conte
 
 	for k, v := range asMap {
 		switch k {
-		case "enabled":
+		case "requestsEnabled":
 			var err error
 
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
-			it.Enabled, err = ec.unmarshalNBoolean2bool(ctx, v)
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("requestsEnabled"))
+			it.RequestsEnabled, err = ec.unmarshalNBoolean2bool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+		case "responsesEnabled":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("responsesEnabled"))
+			it.ResponsesEnabled, err = ec.unmarshalNBoolean2bool(ctx, v)
 			if err != nil {
 				return it, err
 			}
@@ -6318,6 +6413,14 @@ func (ec *executionContext) unmarshalInputUpdateInterceptSettingsInput(ctx conte
 			if err != nil {
 				return it, err
 			}
+		case "responseFilter":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("responseFilter"))
+			it.ResponseFilter, err = ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
 		}
 	}
 
@@ -6771,13 +6874,20 @@ func (ec *executionContext) _InterceptSettings(ctx context.Context, sel ast.Sele
 		switch field.Name {
 		case "__typename":
 			out.Values[i] = graphql.MarshalString("InterceptSettings")
-		case "enabled":
-			out.Values[i] = ec._InterceptSettings_enabled(ctx, field, obj)
+		case "requestsEnabled":
+			out.Values[i] = ec._InterceptSettings_requestsEnabled(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				invalids++
+			}
+		case "responsesEnabled":
+			out.Values[i] = ec._InterceptSettings_responsesEnabled(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				invalids++
 			}
 		case "requestFilter":
 			out.Values[i] = ec._InterceptSettings_requestFilter(ctx, field, obj)
+		case "responseFilter":
+			out.Values[i] = ec._InterceptSettings_responseFilter(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
diff --git a/pkg/api/models_gen.go b/pkg/api/models_gen.go
index 9459fb6..9c480b5 100644
--- a/pkg/api/models_gen.go
+++ b/pkg/api/models_gen.go
@@ -98,8 +98,10 @@ type HTTPResponseLog struct {
 }
 
 type InterceptSettings struct {
-	Enabled       bool    `json:"enabled"`
-	RequestFilter *string `json:"requestFilter"`
+	RequestsEnabled  bool    `json:"requestsEnabled"`
+	ResponsesEnabled bool    `json:"responsesEnabled"`
+	RequestFilter    *string `json:"requestFilter"`
+	ResponseFilter   *string `json:"responseFilter"`
 }
 
 type ModifyRequestInput struct {
@@ -194,8 +196,10 @@ type SenderRequestInput struct {
 }
 
 type UpdateInterceptSettingsInput struct {
-	Enabled       bool    `json:"enabled"`
-	RequestFilter *string `json:"requestFilter"`
+	RequestsEnabled  bool    `json:"requestsEnabled"`
+	ResponsesEnabled bool    `json:"responsesEnabled"`
+	RequestFilter    *string `json:"requestFilter"`
+	ResponseFilter   *string `json:"responseFilter"`
 }
 
 type HTTPMethod string
diff --git a/pkg/api/resolvers.go b/pkg/api/resolvers.go
index f78e9af..e334b33 100644
--- a/pkg/api/resolvers.go
+++ b/pkg/api/resolvers.go
@@ -596,10 +596,13 @@ func (r *mutationResolver) ModifyResponse(
 		return nil, fmt.Errorf("malformed HTTP version: %q", res.Proto)
 	}
 
+	var body string
 	if input.Body != nil {
-		res.Body = io.NopCloser(strings.NewReader(*input.Body))
+		body = *input.Body
 	}
 
+	res.Body = io.NopCloser(strings.NewReader(body))
+
 	for _, header := range input.Headers {
 		res.Header.Add(header.Key, header.Value)
 	}
@@ -626,18 +629,28 @@ func (r *mutationResolver) UpdateInterceptSettings(
 	input UpdateInterceptSettingsInput,
 ) (*InterceptSettings, error) {
 	settings := intercept.Settings{
-		Enabled: input.Enabled,
+		RequestsEnabled:  input.RequestsEnabled,
+		ResponsesEnabled: input.ResponsesEnabled,
 	}
 
 	if input.RequestFilter != nil && *input.RequestFilter != "" {
 		expr, err := search.ParseQuery(*input.RequestFilter)
 		if err != nil {
-			return nil, fmt.Errorf("could not parse search query: %w", err)
+			return nil, fmt.Errorf("could not parse request filter: %w", err)
 		}
 
 		settings.RequestFilter = expr
 	}
 
+	if input.ResponseFilter != nil && *input.ResponseFilter != "" {
+		expr, err := search.ParseQuery(*input.ResponseFilter)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse response filter: %w", err)
+		}
+
+		settings.ResponseFilter = expr
+	}
+
 	err := r.ProjectService.UpdateInterceptSettings(ctx, settings)
 	if errors.Is(err, proj.ErrNoProject) {
 		return nil, noActiveProjectErr(ctx)
@@ -646,7 +659,8 @@ func (r *mutationResolver) UpdateInterceptSettings(
 	}
 
 	updated := &InterceptSettings{
-		Enabled: settings.Enabled,
+		RequestsEnabled:  settings.RequestsEnabled,
+		ResponsesEnabled: settings.ResponsesEnabled,
 	}
 
 	if settings.RequestFilter != nil {
@@ -654,6 +668,11 @@ func (r *mutationResolver) UpdateInterceptSettings(
 		updated.RequestFilter = &reqFilter
 	}
 
+	if settings.ResponseFilter != nil {
+		resFilter := settings.ResponseFilter.String()
+		updated.ResponseFilter = &resFilter
+	}
+
 	return updated, nil
 }
 
@@ -842,7 +861,8 @@ func parseProject(projSvc proj.Service, p proj.Project) Project {
 		IsActive: projSvc.IsProjectActive(p.ID),
 		Settings: &ProjectSettings{
 			Intercept: &InterceptSettings{
-				Enabled: p.Settings.InterceptEnabled,
+				RequestsEnabled:  p.Settings.InterceptRequests,
+				ResponsesEnabled: p.Settings.InterceptResponses,
 			},
 		},
 	}
@@ -852,6 +872,11 @@ func parseProject(projSvc proj.Service, p proj.Project) Project {
 		project.Settings.Intercept.RequestFilter = &interceptReqFilter
 	}
 
+	if p.Settings.InterceptResponseFilter != nil {
+		interceptResFilter := p.Settings.InterceptResponseFilter.String()
+		project.Settings.Intercept.ResponseFilter = &interceptResFilter
+	}
+
 	return project
 }
 
diff --git a/pkg/api/schema.graphql b/pkg/api/schema.graphql
index 88ad21f..e33d398 100644
--- a/pkg/api/schema.graphql
+++ b/pkg/api/schema.graphql
@@ -179,13 +179,17 @@ type CancelResponseResult {
 }
 
 input UpdateInterceptSettingsInput {
-  enabled: Boolean!
+  requestsEnabled: Boolean!
+  responsesEnabled: Boolean!
   requestFilter: String
+  responseFilter: String
 }
 
 type InterceptSettings {
-  enabled: Boolean!
+  requestsEnabled: Boolean!
+  responsesEnabled: Boolean!
   requestFilter: String
+  responseFilter: String
 }
 
 type Query {
diff --git a/pkg/proj/proj.go b/pkg/proj/proj.go
index 55a4823..e86a930 100644
--- a/pkg/proj/proj.go
+++ b/pkg/proj/proj.go
@@ -62,8 +62,10 @@ type Settings struct {
 	ReqLogSearchExpr       search.Expression
 
 	// Intercept settings
-	InterceptEnabled       bool
-	InterceptRequestFilter search.Expression
+	InterceptRequests       bool
+	InterceptResponses      bool
+	InterceptRequestFilter  search.Expression
+	InterceptResponseFilter search.Expression
 
 	// Sender settings
 	SenderOnlyFindInScope bool
@@ -133,8 +135,10 @@ func (svc *service) CloseProject() error {
 	svc.reqLogSvc.SetBypassOutOfScopeRequests(false)
 	svc.reqLogSvc.SetFindReqsFilter(reqlog.FindRequestsFilter{})
 	svc.interceptSvc.UpdateSettings(intercept.Settings{
-		Enabled:       false,
-		RequestFilter: nil,
+		RequestsEnabled:  false,
+		ResponsesEnabled: false,
+		RequestFilter:    nil,
+		ResponseFilter:   nil,
 	})
 	svc.senderSvc.SetActiveProjectID(ulid.ULID{})
 	svc.senderSvc.SetFindReqsFilter(sender.FindRequestsFilter{})
@@ -179,8 +183,10 @@ func (svc *service) OpenProject(ctx context.Context, projectID ulid.ULID) (Proje
 
 	// Intercept settings.
 	svc.interceptSvc.UpdateSettings(intercept.Settings{
-		Enabled:       project.Settings.InterceptEnabled,
-		RequestFilter: project.Settings.InterceptRequestFilter,
+		RequestsEnabled:  project.Settings.InterceptRequests,
+		ResponsesEnabled: project.Settings.InterceptResponses,
+		RequestFilter:    project.Settings.InterceptRequestFilter,
+		ResponseFilter:   project.Settings.InterceptResponseFilter,
 	})
 
 	// Sender settings.
@@ -296,8 +302,10 @@ func (svc *service) UpdateInterceptSettings(ctx context.Context, settings interc
 		return err
 	}
 
-	project.Settings.InterceptEnabled = settings.Enabled
+	project.Settings.InterceptRequests = settings.RequestsEnabled
+	project.Settings.InterceptResponses = settings.ResponsesEnabled
 	project.Settings.InterceptRequestFilter = settings.RequestFilter
+	project.Settings.InterceptResponseFilter = settings.ResponseFilter
 
 	err = svc.repo.UpsertProject(ctx, project)
 	if err != nil {
diff --git a/pkg/proxy/intercept/filter.go b/pkg/proxy/intercept/filter.go
index ee15ad9..5be81c3 100644
--- a/pkg/proxy/intercept/filter.go
+++ b/pkg/proxy/intercept/filter.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"strconv"
 	"strings"
 
 	"github.com/dstotijn/hetty/pkg/scope"
@@ -38,6 +39,34 @@ var reqFilterKeyFns = map[string]func(req *http.Request) (string, error){
 	},
 }
 
+//nolint:unparam
+var resFilterKeyFns = map[string]func(res *http.Response) (string, error){
+	"proto":      func(res *http.Response) (string, error) { return res.Proto, nil },
+	"statusCode": func(res *http.Response) (string, error) { return strconv.Itoa(res.StatusCode), nil },
+	"statusReason": func(res *http.Response) (string, error) {
+		statusReasonSubs := strings.SplitN(res.Status, " ", 2)
+
+		if len(statusReasonSubs) != 2 {
+			return "", fmt.Errorf("invalid response status %q", res.Status)
+		}
+		return statusReasonSubs[1], nil
+	},
+	"body": func(res *http.Response) (string, error) {
+		if res.Body == nil {
+			return "", nil
+		}
+
+		body, err := io.ReadAll(res.Body)
+		if err != nil {
+			return "", err
+		}
+
+		res.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+
+		return string(body), nil
+	},
+}
+
 // MatchRequestFilter returns true if an HTTP request matches the request filter expression.
 func MatchRequestFilter(req *http.Request, expr search.Expression) (bool, error) {
 	switch e := expr.(type) {
@@ -228,3 +257,139 @@ func MatchRequestScope(req *http.Request, s *scope.Scope) (bool, error) {
 
 	return false, nil
 }
+
+// MatchResponseFilter returns true if an HTTP response matches the response filter expression.
+func MatchResponseFilter(res *http.Response, expr search.Expression) (bool, error) {
+	switch e := expr.(type) {
+	case search.PrefixExpression:
+		return matchResPrefixExpr(res, e)
+	case search.InfixExpression:
+		return matchResInfixExpr(res, e)
+	case search.StringLiteral:
+		return matchResStringLiteral(res, e)
+	default:
+		return false, fmt.Errorf("expression type (%T) not supported", expr)
+	}
+}
+
+func matchResPrefixExpr(res *http.Response, expr search.PrefixExpression) (bool, error) {
+	switch expr.Operator {
+	case search.TokOpNot:
+		match, err := MatchResponseFilter(res, expr.Right)
+		if err != nil {
+			return false, err
+		}
+
+		return !match, nil
+	default:
+		return false, errors.New("operator is not supported")
+	}
+}
+
+func matchResInfixExpr(res *http.Response, expr search.InfixExpression) (bool, error) {
+	switch expr.Operator {
+	case search.TokOpAnd:
+		left, err := MatchResponseFilter(res, expr.Left)
+		if err != nil {
+			return false, err
+		}
+
+		right, err := MatchResponseFilter(res, expr.Right)
+		if err != nil {
+			return false, err
+		}
+
+		return left && right, nil
+	case search.TokOpOr:
+		left, err := MatchResponseFilter(res, expr.Left)
+		if err != nil {
+			return false, err
+		}
+
+		right, err := MatchResponseFilter(res, expr.Right)
+		if err != nil {
+			return false, err
+		}
+
+		return left || right, nil
+	}
+
+	left, ok := expr.Left.(search.StringLiteral)
+	if !ok {
+		return false, errors.New("left operand must be a string literal")
+	}
+
+	leftVal, err := getMappedStringLiteralFromRes(res, left.Value)
+	if err != nil {
+		return false, fmt.Errorf("failed to get string literal from response for left operand: %w", err)
+	}
+
+	if expr.Operator == search.TokOpRe || expr.Operator == search.TokOpNotRe {
+		right, ok := expr.Right.(search.RegexpLiteral)
+		if !ok {
+			return false, errors.New("right operand must be a regular expression")
+		}
+
+		switch expr.Operator {
+		case search.TokOpRe:
+			return right.MatchString(leftVal), nil
+		case search.TokOpNotRe:
+			return !right.MatchString(leftVal), nil
+		}
+	}
+
+	right, ok := expr.Right.(search.StringLiteral)
+	if !ok {
+		return false, errors.New("right operand must be a string literal")
+	}
+
+	rightVal, err := getMappedStringLiteralFromRes(res, right.Value)
+	if err != nil {
+		return false, fmt.Errorf("failed to get string literal from response for right operand: %w", err)
+	}
+
+	switch expr.Operator {
+	case search.TokOpEq:
+		return leftVal == rightVal, nil
+	case search.TokOpNotEq:
+		return leftVal != rightVal, nil
+	case search.TokOpGt:
+		// TODO(?) attempt to parse as int.
+		return leftVal > rightVal, nil
+	case search.TokOpLt:
+		// TODO(?) attempt to parse as int.
+		return leftVal < rightVal, nil
+	case search.TokOpGtEq:
+		// TODO(?) attempt to parse as int.
+		return leftVal >= rightVal, nil
+	case search.TokOpLtEq:
+		// TODO(?) attempt to parse as int.
+		return leftVal <= rightVal, nil
+	default:
+		return false, errors.New("unsupported operator")
+	}
+}
+
+func getMappedStringLiteralFromRes(res *http.Response, s string) (string, error) {
+	fn, ok := resFilterKeyFns[s]
+	if ok {
+		return fn(res)
+	}
+
+	return s, nil
+}
+
+func matchResStringLiteral(res *http.Response, strLiteral search.StringLiteral) (bool, error) {
+	for _, fn := range resFilterKeyFns {
+		value, err := fn(res)
+		if err != nil {
+			return false, err
+		}
+
+		if strings.Contains(strings.ToLower(value), strings.ToLower(strLiteral.Value)) {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
diff --git a/pkg/proxy/intercept/intercept.go b/pkg/proxy/intercept/intercept.go
index 06c8441..caf2f99 100644
--- a/pkg/proxy/intercept/intercept.go
+++ b/pkg/proxy/intercept/intercept.go
@@ -53,14 +53,19 @@ type Service struct {
 	requests  map[ulid.ULID]Request
 	responses map[ulid.ULID]Response
 	logger    log.Logger
-	enabled   bool
-	reqFilter search.Expression
+
+	requestsEnabled  bool
+	responsesEnabled bool
+	reqFilter        search.Expression
+	resFilter        search.Expression
 }
 
 type Config struct {
-	Logger        log.Logger
-	Enabled       bool
-	RequestFilter search.Expression
+	Logger           log.Logger
+	RequestsEnabled  bool
+	ResponsesEnabled bool
+	RequestFilter    search.Expression
+	ResponseFilter   search.Expression
 }
 
 // RequestIDs implements sort.Interface.
@@ -68,13 +73,15 @@ type RequestIDs []ulid.ULID
 
 func NewService(cfg Config) *Service {
 	s := &Service{
-		reqMu:     &sync.RWMutex{},
-		resMu:     &sync.RWMutex{},
-		requests:  make(map[ulid.ULID]Request),
-		responses: make(map[ulid.ULID]Response),
-		logger:    cfg.Logger,
-		enabled:   cfg.Enabled,
-		reqFilter: cfg.RequestFilter,
+		reqMu:            &sync.RWMutex{},
+		resMu:            &sync.RWMutex{},
+		requests:         make(map[ulid.ULID]Request),
+		responses:        make(map[ulid.ULID]Response),
+		logger:           cfg.Logger,
+		requestsEnabled:  cfg.RequestsEnabled,
+		responsesEnabled: cfg.ResponsesEnabled,
+		reqFilter:        cfg.RequestFilter,
+		resFilter:        cfg.ResponseFilter,
 	}
 
 	if s.logger == nil {
@@ -122,7 +129,7 @@ func (svc *Service) InterceptRequest(ctx context.Context, req *http.Request) (*h
 		return req, nil
 	}
 
-	if !svc.enabled {
+	if !svc.requestsEnabled {
 		// If request intercept is disabled, return the incoming request as-is.
 		svc.logger.Debugw("Bypassed request interception: feature disabled.")
 		return req, nil
@@ -267,14 +274,20 @@ func (svc *Service) Items() []Item {
 }
 
 func (svc *Service) UpdateSettings(settings Settings) {
-	// When updating from `enabled` -> `disabled`, clear any pending reqs.
-	if svc.enabled && !settings.Enabled {
+	// When updating from requests `enabled` -> `disabled`, clear any pending reqs.
+	if svc.requestsEnabled && !settings.RequestsEnabled {
 		svc.ClearRequests()
+	}
+
+	// When updating from responses `enabled` -> `disabled`, clear any pending responses.
+	if svc.responsesEnabled && !settings.ResponsesEnabled {
 		svc.ClearResponses()
 	}
 
-	svc.enabled = settings.Enabled
+	svc.requestsEnabled = settings.RequestsEnabled
+	svc.responsesEnabled = settings.ResponsesEnabled
 	svc.reqFilter = settings.RequestFilter
+	svc.resFilter = settings.ResponseFilter
 }
 
 // ItemByID returns an intercepted item (request and possible response) by ID. It's safe for concurrent use.
@@ -358,25 +371,25 @@ func (svc *Service) InterceptResponse(ctx context.Context, res *http.Response) (
 		return res, nil
 	}
 
-	if !svc.enabled {
-		// If the feature is disabled, return the response as-is.
+	// If global response intercept is disabled and interception is *not* explicitly enabled for this response: bypass.
+	if !svc.responsesEnabled && !(ok && shouldIntercept) {
 		svc.logger.Debugw("Bypassed response interception: feature disabled.")
 		return res, nil
 	}
 
-	// if svc.reqFilter != nil {
-	// 	match, err := MatchRequestFilter(req, svc.reqFilter)
-	// 	if err != nil {
-	// 		return nil, fmt.Errorf("intercept: failed to match request rules for request (id: %v): %w",
-	// 			reqID.String(), err,
-	// 		)
-	// 	}
+	if svc.resFilter != nil {
+		match, err := MatchResponseFilter(res, svc.resFilter)
+		if err != nil {
+			return nil, fmt.Errorf("intercept: failed to match response rules for response (id: %v): %w",
+				reqID.String(), err,
+			)
+		}
 
-	// 	if !match {
-	// 		svc.logger.Debugw("Bypassed interception: request rules don't match.")
-	// 		return req, nil
-	// 	}
-	// }
+		if !match {
+			svc.logger.Debugw("Bypassed response interception: response rules don't match.")
+			return res, nil
+		}
+	}
 
 	ch := make(chan *http.Response)
 	done := make(chan struct{})
diff --git a/pkg/proxy/intercept/intercept_test.go b/pkg/proxy/intercept/intercept_test.go
index 2ed20f8..bb5e91d 100644
--- a/pkg/proxy/intercept/intercept_test.go
+++ b/pkg/proxy/intercept/intercept_test.go
@@ -28,8 +28,9 @@ func TestRequestModifier(t *testing.T) {
 
 		logger, _ := zap.NewDevelopment()
 		svc := intercept.NewService(intercept.Config{
-			Logger:  logger.Sugar(),
-			Enabled: true,
+			Logger:           logger.Sugar(),
+			RequestsEnabled:  true,
+			ResponsesEnabled: false,
 		})
 
 		reqID := ulid.MustNew(ulid.Timestamp(time.Now()), ulidEntropy)
@@ -45,8 +46,9 @@ func TestRequestModifier(t *testing.T) {
 
 		logger, _ := zap.NewDevelopment()
 		svc := intercept.NewService(intercept.Config{
-			Logger:  logger.Sugar(),
-			Enabled: true,
+			Logger:           logger.Sugar(),
+			RequestsEnabled:  true,
+			ResponsesEnabled: false,
 		})
 
 		ctx, cancel := context.WithCancel(context.Background())
@@ -88,8 +90,9 @@ func TestRequestModifier(t *testing.T) {
 
 		logger, _ := zap.NewDevelopment()
 		svc := intercept.NewService(intercept.Config{
-			Logger:  logger.Sugar(),
-			Enabled: true,
+			Logger:           logger.Sugar(),
+			RequestsEnabled:  true,
+			ResponsesEnabled: false,
 		})
 
 		var got *http.Request
diff --git a/pkg/proxy/intercept/settings.go b/pkg/proxy/intercept/settings.go
index 084b35d..15bc154 100644
--- a/pkg/proxy/intercept/settings.go
+++ b/pkg/proxy/intercept/settings.go
@@ -3,6 +3,8 @@ package intercept
 import "github.com/dstotijn/hetty/pkg/search"
 
 type Settings struct {
-	Enabled       bool
-	RequestFilter search.Expression
+	RequestsEnabled  bool
+	ResponsesEnabled bool
+	RequestFilter    search.Expression
+	ResponseFilter   search.Expression
 }
diff --git a/pkg/reqlog/reqlog.go b/pkg/reqlog/reqlog.go
index d7e652e..65b7f2e 100644
--- a/pkg/reqlog/reqlog.go
+++ b/pkg/reqlog/reqlog.go
@@ -217,14 +217,16 @@ func (svc *service) ResponseModifier(next proxy.ResponseModifyFunc) proxy.Respon
 
 		clone := *res
 
-		// TODO: Use io.LimitReader.
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return fmt.Errorf("reqlog: could not read response body: %w", err)
-		}
+		if res.Body != nil {
+			// TODO: Use io.LimitReader.
+			body, err := io.ReadAll(res.Body)
+			if err != nil {
+				return fmt.Errorf("reqlog: could not read response body: %w", err)
+			}
 
-		res.Body = ioutil.NopCloser(bytes.NewBuffer(body))
-		clone.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+			res.Body = io.NopCloser(bytes.NewBuffer(body))
+			clone.Body = io.NopCloser(bytes.NewBuffer(body))
+		}
 
 		go func() {
 			if err := svc.storeResponse(context.Background(), reqLogID, &clone); err != nil {