Skip to content
Stoma

httpCallout

const httpCallout: (config?) => Policy

Defined in: src/policies/traffic/http-callout.ts:66

Make an external HTTP call mid-pipeline.

Resolves URL, headers, and body (static or dynamic), makes the fetch, and calls the onResponse callback to process the result. Errors are handled via onError or default to a 502 GatewayError.

Parameters

Section titled “Parameters”

config?

Section titled “config?”

HttpCalloutConfig

Callout target, method, headers, body, and response handler.

Returns

Section titled “Returns”

Policy

A Policy at priority 50 (REQUEST_TRANSFORM).

Security

Section titled “Security”

When the url parameter is a dynamic function that derives the callout target from request data (headers, path, query, or body), this policy is vulnerable to Server-Side Request Forgery (SSRF). An attacker could manipulate request data to make the worker issue requests to internal services, metadata endpoints (e.g. cloud provider instance metadata), or other unintended targets. Hardcode callout URLs whenever possible. If dynamic URLs are required, validate them against an explicit allowlist of permitted hosts and schemes.

Example

Section titled “Example”
httpCallout({
  url: "https://auth.example.com/validate",
  method: "POST",
  headers: { authorization: (c) => c.req.header("authorization") ?? "" },
  body: (c) => ({ path: c.req.path }),
  onResponse: async (res, c) => {
    const data = await res.json();
    c.set("userId", data.userId);
  },
});