requests
★
★
★
★
★
3
reviews
Python HTTP for Humans.
95
Security
68
Quality
47
Maintenance
71
Overall
v2.32.5
PyPI
Python
Aug 18, 2025
by Kenneth Reitz
No Known Issues
This package has a good security score with no known vulnerabilities.
53830
GitHub Stars
4.0/5
Avg Rating
Community Reviews
CAUTION
Ergonomic HTTP client with TLS defaults, but requires security vigilance
Requests has been my go-to HTTP client for years because the API is genuinely intuitive - session management, authentication helpers, and automatic content decoding just work. The library handles TLS/SSL verification by default (verify=True), which is the right secure-by-default choice, though I've seen too many developers set verify=False in production to bypass certificate issues rather than fixing root causes.
The dependency chain has been a mixed bag. The project had a long period of maintenance uncertainty, and the bundled urllib3/chardet dependencies have occasionally lagged on CVE patches. You need to actively monitor security advisories. Error handling is developer-friendly but can expose URL details in tracebacks, so be careful with logging in security-sensitive contexts.
Input validation is mostly your responsibility - the library won't protect you from SSRF attacks or parameter injection if you're building URLs from user input. The timeout parameter defaults to None (infinite wait), which I consider a security anti-pattern that's bitten me in production. Always set explicit timeouts.
The dependency chain has been a mixed bag. The project had a long period of maintenance uncertainty, and the bundled urllib3/chardet dependencies have occasionally lagged on CVE patches. You need to actively monitor security advisories. Error handling is developer-friendly but can expose URL details in tracebacks, so be careful with logging in security-sensitive contexts.
Input validation is mostly your responsibility - the library won't protect you from SSRF attacks or parameter injection if you're building URLs from user input. The timeout parameter defaults to None (infinite wait), which I consider a security anti-pattern that's bitten me in production. Always set explicit timeouts.
TLS certificate verification enabled by default, forcing conscious opt-out
Session objects properly handle connection pooling and cookie persistence securely
Clean API for authentication schemes including mutual TLS and custom auth handlers
Exceptions clearly distinguish network failures from HTTP errors without leaking sensitive data
No default timeout leads to hanging connections and potential resource exhaustion
Historical maintenance gaps caused delayed CVE responses in urllib3 dependency
No built-in protection against SSRF or URL injection attacks
Best for: Internal services and client applications where you control both endpoints and need straightforward HTTP operations with reasonable security defaults.
Avoid if: You're building security-critical systems requiring SSRF protection, need HTTP/2 support, or can't tolerate dependency supply chain risk.
RECOMMENDED
Solid HTTP client with good defaults, but requires security vigilance
Requests remains the gold standard for Python HTTP work with genuinely intuitive APIs. Certificate verification is enabled by default (verify=True), which is critical for security, though you'll constantly encounter developers disabling it in production code—code reviews must catch this. The Session object with connection pooling is excellent for performance and makes managing auth tokens straightforward.
From a security perspective, the library handles redirects safely by default and properly validates hostnames against certificates. Error handling is clean—exceptions like ConnectionError and Timeout don't leak sensitive data, though custom error handlers need careful review. The prepared request pattern makes input validation explicit, which I appreciate when building secure APIs.
The main pain point is dependency on urllib3, which has had several CVEs over the years. You need active monitoring since requests updates don't always immediately bump urllib3 versions. The library doesn't provide built-in rate limiting or request signing helpers, so you'll build these yourself. TLS 1.2+ is enforced on modern Python, but older environments require attention.
From a security perspective, the library handles redirects safely by default and properly validates hostnames against certificates. Error handling is clean—exceptions like ConnectionError and Timeout don't leak sensitive data, though custom error handlers need careful review. The prepared request pattern makes input validation explicit, which I appreciate when building secure APIs.
The main pain point is dependency on urllib3, which has had several CVEs over the years. You need active monitoring since requests updates don't always immediately bump urllib3 versions. The library doesn't provide built-in rate limiting or request signing helpers, so you'll build these yourself. TLS 1.2+ is enforced on modern Python, but older environments require attention.
Certificate verification enabled by default with proper hostname validation
Session objects with connection pooling make auth token management clean and performant
Exceptions are well-designed and don't expose request bodies or auth headers
Prepared requests API makes input validation and parameter encoding explicit
Dependency on urllib3 requires active CVE monitoring as version bumps lag behind
No built-in rate limiting, request signing, or retry logic with backoff
Documentation doesn't emphasize security implications of verify=False prominently enough
Best for: Standard HTTP client needs where you control both endpoints or consume well-known APIs with straightforward authentication.
Avoid if: You need async support, built-in request signing for AWS/OAuth, or HTTP/2 support—use httpx instead.
RECOMMENDED
Battle-tested HTTP client with solid defaults, but requires security vigilance
Requests has been my go-to for HTTP operations across dozens of production services. The API is genuinely intuitive—sessions with connection pooling, automatic content decoding, and straightforward authentication patterns work exactly as expected. TLS verification is enabled by default (critical), and certificate handling is sensible out of the box.
From a security perspective, the library gets most things right. SSL/TLS defaults are secure, the verify parameter prevents accidental certificate bypass, and timeout handling forces you to be explicit (good for preventing resource exhaustion). However, you must manually set timeouts on every request—there's no global default—which has bitten teams I've worked with during outages. Error messages generally don't leak sensitive data, though custom headers can appear in tracebacks if you're not careful with logging.
The dependency chain has had some rough patches (urllib3 CVEs, chardet/charset-normalizer transitions), requiring vigilant monitoring. Input validation for URLs is permissive, so sanitize user-provided URLs yourself. The library doesn't protect against SSRF by default—you need to implement IP allowlisting separately.
From a security perspective, the library gets most things right. SSL/TLS defaults are secure, the verify parameter prevents accidental certificate bypass, and timeout handling forces you to be explicit (good for preventing resource exhaustion). However, you must manually set timeouts on every request—there's no global default—which has bitten teams I've worked with during outages. Error messages generally don't leak sensitive data, though custom headers can appear in tracebacks if you're not careful with logging.
The dependency chain has had some rough patches (urllib3 CVEs, chardet/charset-normalizer transitions), requiring vigilant monitoring. Input validation for URLs is permissive, so sanitize user-provided URLs yourself. The library doesn't protect against SSRF by default—you need to implement IP allowlisting separately.
TLS verification enabled by default with clear verify=False warnings when disabled
Session objects provide connection pooling and cookie persistence with minimal setup
Authentication adapters (Basic, Digest, OAuth) are straightforward and composable
Excellent timeout control at both connection and read levels once you remember to set them
No default timeout values—forgetting to set them causes hanging requests in production
No built-in SSRF protection; must implement your own URL/IP validation for user input
Dependency chain (urllib3, certifi) has periodic CVEs requiring rapid updates
Best for: Internal services, API clients, and web scraping where you need reliable HTTP with reasonable security defaults.
Avoid if: You need async/await support (use httpx instead) or require strict supply chain minimalism.
Write a Review
Sign in to write a review
Sign In
Dependencies
Used By
arxiv
56
databricks-vectorsearch
45
ray
51
exa-py
48
requests-unixsocket
54
google-api-core
75
singer-sdk
51
requests-mock
50
twine
71
apache-airflow-providers-databricks
63
statsig-python-core
53
prance
64
mistral-common
44
oss2
42
diffusers
67
snowplow-tracker
50
python-gitlab
73
looker-sdk
54
mkdocs-material
64
plantuml-markdown
50
and 226 more