requests-hardened
raw JSON → 1.2.2 verified Fri May 01 auth: no python
A security-hardened wrapper around the Python requests library that overrides default behaviors to prevent SSRF attacks, enforce TLS best practices, restrict IP ranges, and add safety features. Current version 1.2.2, supports Python >=3.10, <4.0, and is maintained actively by Saleor.
pip install requests-hardened Common errors
error ModuleNotFoundError: No module named 'requests_hardened' ↓
cause Library not installed or wrong import name.
fix
pip install requests-hardened, then import as 'from requests_hardened import Session'.
error AttributeError: module 'requests' has no attribute 'Session' ↓
cause Monkey-patching may not have taken effect because import order is incorrect or the library was not imported.
fix
Ensure you import requests_hardened (or a submodule) before any requests usage. E.g., 'import requests_hardened; requests.get(...)'
Warnings
breaking Version 1.2.1 fixed CVE-2026-42175 (SSRF bypass via shared address space 100.64.0.0/10). Users on <1.2.1 are vulnerable and must upgrade. ↓
fix pip install 'requests-hardened>=1.2.1'
deprecated Python 3.9 support dropped in v1.2.0. Python 3.10+ required. ↓
fix Use Python 3.10 or newer, or pin to <1.2.0 if stuck on 3.9.
gotcha The library monkey-patches the global requests module when imported. This may break other code that expects the standard requests behavior. ↓
fix Use the provided Session class instead of relying on monkey-patched functions. Avoid mixing with other requests wrappers.
Imports
- Session
from requests_hardened import Session - Config
from requests_hardened import Config - ip_filter
from requests_hardened.ip_filter import IPFilter
Quickstart
from requests_hardened import Session, Config
config = Config(
user_agent='MyApp/1.0',
ip_filter_enabled=True,
ip_filter_allow_loopback=True,
force_tls_1_3=True
)
session = Session(config=config)
response = session.get('https://example.com')
print(response.status_code)