github.com/hashicorp/go-cleanhttp
Package cleanhttp offers convenience utilities for acquiring "clean" http.Transport and http.Client structs. Values set on http.DefaultClient and http.DefaultTransport affect all callers. This can have detrimental effects, esepcially in TLS contexts, where client or root certificates set to talk to multiple endpoints can end up displacing each other, leading to hard-to-debug issues. This package provides non-shared http.Client and http.Transport structs to ensure that the configuration will not be overwritten by other parts of the application or dependencies. The DefaultClient and DefaultTransport functions disable idle connections and keepalives. Without ensuring that idle connections are closed before garbage collection, short-term clients/transports can leak file descriptors, eventually leading to "too many open files" errors. If you will be connecting to the same hosts repeatedly from the same client, you can use DefaultPooledClient to receive a client that has connection pooling semantics similar to http.DefaultClient.
Readme
Functions for accessing "clean" Go http.Client values
The Go standard library contains a default http.Client called
http.DefaultClient. It is a common idiom in Go code to start with
http.DefaultClient and tweak it as necessary, and in fact, this is
encouraged; from the http package documentation:
The Client's Transport typically has internal state (cached TCP connections), so Clients should be reused instead of created as needed. Clients are safe for concurrent use by multiple goroutines.
Unfortunately, this is a shared value, and it is not uncommon for libraries to assume that they are free to modify it at will. With enough dependencies, it can be very easy to encounter strange problems and race conditions due to manipulation of this shared value across libraries and goroutines (clients are safe for concurrent use, but writing values to the client struct itself is not protected).
Making things worse is the fact that a bare http.Client will use a default
http.Transport called http.DefaultTransport, which is another global value
that behaves the same way. So it is not simply enough to replace
http.DefaultClient with &http.Client{}.
This repository provides some simple functions to get a "clean" http.Client
-- one that uses the same default values as the Go standard library, but
returns a client that does not share any state with other clients.
FAQs
Package cleanhttp offers convenience utilities for acquiring "clean" http.Transport and http.Client structs. Values set on http.DefaultClient and http.DefaultTransport affect all callers. This can have detrimental effects, esepcially in TLS contexts, where client or root certificates set to talk to multiple endpoints can end up displacing each other, leading to hard-to-debug issues. This package provides non-shared http.Client and http.Transport structs to ensure that the configuration will not be overwritten by other parts of the application or dependencies. The DefaultClient and DefaultTransport functions disable idle connections and keepalives. Without ensuring that idle connections are closed before garbage collection, short-term clients/transports can leak file descriptors, eventually leading to "too many open files" errors. If you will be connecting to the same hosts repeatedly from the same client, you can use DefaultPooledClient to receive a client that has connection pooling semantics similar to http.DefaultClient.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cyber extortion in the US and Canada hit record levels in 2023, with ransomware attacks surging and median ransom demands skyrocketing, though fewer companies are choosing to pay ransoms.
Security News
Ecma TC39 is meeting this week and has moved key ECMAScript proposals forward, advancing Deferred Import Evaluation, Error.isError(), RegExp Escaping, and Promise.try to the next stages.
Security News
Researchers have demonstrated that teams of LLM agents can exploit zero-day vulnerabilities with a 53% success rate, and the costs of using AI to do so are rapidly becoming more affordable than hiring a human penetration tester.
