httpclient¶
A hardened, framework-free *http.Client factory — secure TLS defaults, a
downgrade-proof redirect policy, and the go/transit retry / circuit-breaker / auth
middleware, wired onto the standard library.
gitlab.com/phpboyscout/go/httpclient gives a service or library a secure-by-default
outbound HTTP client without a framework in tow. NewClient(...) returns a stock
*http.Client hardened with a TLS 1.2 floor, curated cipher suites, connection limits,
timeouts, and a redirect policy that refuses HTTPS→HTTP downgrades — then layers on the
go/transit client middleware through options. It is
the client half of the transport stack extracted from
go-tool-base.
Why¶
- Framework-free. It depends only on go/tls,
go/transit and
cockroachdb/errors. Adepfootprint_test.goguard forbids go-tool-base, the server stack (controls/authn/gateway), the gRPC SDK, and the cloud/CLI/TUI stacks — so a client-only consumer never inherits any of them. - Secure by default. Hardened TLS and a
CheckRedirectthat caps redirects and blocks downgrade attacks ship out of the box; you opt out, not in. See hardened defaults. - The middleware is transit's. Retry, circuit breaking, host-pinned credentials and
request logging are the
go/transitclient round-trippers; this module wires them into the client.
Where next¶
- Getting started — a hardened client making a retrying request in a few lines.
- Compose client middleware — retry, circuit breaker, auth and logging, in the right order.
- Hardened defaults & the factory model
— what
NewClientsets, and why the client factory is separate from the middleware. - API reference — full godoc on pkg.go.dev.
Part of the phpboyscout Go toolkit — small, framework-free Go modules extracted from go-tool-base.