Outbound HTTP Policies

These methods exist on the policy.outboundHttp object as seen in the following example:

(policy) => {
  policy.outboundHttp.allowGet('https://intrinsic.com/**');
}

These policies affect outbound HTTP requests, such as when working with ClientRequests via the http or https module. Of course, any third party modules such as request will be subject to these policies as well.

When writing policies it is necessary to specify exactly the protocol you need access to. As an example, if you allow access to the http: version of a URL, requests made to the same URL but via https: will then fail (despite https: obviously being more secure than http:). If you do need access to both the insecure and secure versions of a URL, you can replace the protocol with *.

Note that the urlPattern strings mentioned below work with the glob syntax.

policy.outboundHttp.allowGet(urlPattern)

Allows the use of GET requests to a URL matching urlPattern.

A violation of this policy will look like the following:

[INTRINSIC] OutboundHttpPolicyViolation: POLICY_VIOLATION sb: "0"
  | [GET] http://example.com/ not in outbound http whitelist

policy.outboundHttp.allowPost(urlPattern)

Allows the use of POST requests to a URL matching urlPattern.

A violation of this policy will look like the following:

[INTRINSIC] OutboundHttpPolicyViolation: POLICY_VIOLATION sb: "0"
  | [POST] http://example.com/ not in outbound http whitelist

policy.outboundHttp.allowPut(urlPattern)

Allows the use of PUT requests to a URL matching urlPattern.

A violation of this policy will look like the following:

[INTRINSIC] OutboundHttpPolicyViolation: POLICY_VIOLATION sb: "0"
  | [PUT] http://example.com/ not in outbound http whitelist

policy.outboundHttp.allowDelete(urlPattern)

Allows the use of DELETE requests to a URL matching urlPattern.

A violation of this policy will look like the following:

[INTRINSIC] OutboundHttpPolicyViolation: POLICY_VIOLATION sb: "0"
  | [DELETE] http://example.com/ not in outbound http whitelist

All HTTP Methods

We officially support several HTTP methods which aren't listed above (for sake of brevity). Their usage and violation messaging follow the same pattern as the methods listed above. The list of all supported policy methods, and their respective error messages, are shown below:

  • policy.outboundHttp.allowGet() / GET
  • policy.outboundHttp.allowPost() / POST
  • policy.outboundHttp.allowPut() / PUT
  • policy.outboundHttp.allowPatch() / PATCH
  • policy.outboundHttp.allowDelete() / DELETE
  • policy.outboundHttp.allowHead() / HEAD
  • policy.outboundHttp.allowOptions() / OPTIONS
  • policy.outboundHttp.allowTrace() / TRACE
  • policy.outboundHttp.allowConnect() / CONNECT