Requests

2.32.5 · active · verified Wed Mar 25

The de facto standard synchronous HTTP client for Python. Current version is 2.32.5 (Aug 2025). Stable, slow-moving library. Primary footgun: no default timeout — hangs forever by default. No async support — use httpx or aiohttp for async contexts.

Warnings

breaking NO default timeout. requests.get(url) without timeout= hangs indefinitely if the server is slow or unresponsive. This is the #1 production incident cause in requests-based code. LLMs almost never include timeout in generated code.
Fix: Always pass timeout=(connect_timeout, read_timeout) or a single float: requests.get(url, timeout=30). For sessions: session.get(url, timeout=30).
breaking verify=False on first request in a Session leaked to all subsequent requests to the same origin (security bug fixed in 2.32.3 / GHSA-9wx4-h78v-vm56). If using older versions, verify=False permanently disabled SSL for that origin in the session.
Fix: Upgrade to requests>=2.32.3. Avoid verify=False in production entirely.
breaking HTTPAdapter._get_connection() is deprecated since 2.32.0 following CVE-2024-35195. Custom HTTPAdapter subclasses that override _get_connection must migrate to get_connection_with_tls_context().
Fix: Override get_connection_with_tls_context(url, verify, cert, proxies) instead of _get_connection(). See requests 2.32.2 release notes for a minimal 2-line migration example.
breaking urllib3 2.x requires OpenSSL 1.1.1+. On Amazon Linux 2, RHEL 7, or Python builds using older OpenSSL: ImportError: urllib3 v2 only supports OpenSSL 1.1.1+. Upgrading requests pulls in urllib3 2.x which breaks these environments.
Fix: On affected systems, pin urllib3<2: pip install 'urllib3<2'. Or upgrade the OS/Python to one with OpenSSL 1.1.1+.
gotcha requests has NO async support. Using requests in async code (asyncio, FastAPI, Starlette) blocks the entire event loop. requests.get() in an async def handler will freeze all concurrent requests.
Fix: Use httpx.AsyncClient or aiohttp.ClientSession for async contexts. If you must use requests in async code, wrap in asyncio.to_thread(): await asyncio.to_thread(requests.get, url, timeout=30).
gotcha response.text uses charset detected from the response, which may be wrong. For JSON APIs, always use response.json() or response.content (bytes) rather than response.text to avoid encoding issues.
Fix: Use response.json() for JSON responses. Use response.content for binary. Use response.text only when you know the encoding or check response.encoding first.
gotcha redirect follows are enabled by default (allow_redirects=True). Requests will silently follow redirects, including redirecting POST to GET (HTTP 302 behavior). Sensitive POST data may be sent to an unexpected URL.
Fix: Pass allow_redirects=False for sensitive POST requests. Check response.history to see if redirects occurred.

Install

pip install requests Core

Imports

requests
```
import requests

# Always set a timeout
response = requests.get('https://example.com', timeout=30)
```
requests has NO default timeout. Omitting timeout= causes the request to block indefinitely on slow or unresponsive servers. This is the single most common production issue with requests.
Session
```
with requests.Session() as session:
    response = session.get('https://example.com', timeout=30)
```
Use Session as a context manager to ensure connection pool cleanup. Session objects reuse connections automatically — always prefer Session over repeated requests.get() calls.

Quickstart

Always pass timeout=. Use Session for multiple requests to same host.

import requests

# One-shot (no connection reuse)
response = requests.get('https://httpbin.org/get', timeout=30)
response.raise_for_status()
data = response.json()

# Session (connection reuse, recommended)
with requests.Session() as session:
    session.headers.update({'Authorization': 'Bearer token'})
    r = session.get('https://api.example.com/users', timeout=30)
    r.raise_for_status()
    users = r.json()

view raw JSON →