Skip to main content

Overview

The HttpRequest block is the primary method for making HTTP/HTTPS requests in IronBullet pipelines. It supports advanced features like:
  • JA3 TLS fingerprinting
  • HTTP/2 fingerprinting
  • Custom cipher suites
  • Browser profile emulation
  • Automatic cookie management
  • Proxy support
  • Custom headers and authentication

Settings

method
string
default:"GET"
required
HTTP method: GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONSExample: "POST"
url
string
required
Target URL with optional variable interpolationExample: "https://api.example.com/user/<input.USER>"
headers
array
Array of [name, value] header tuples
[
  ["Content-Type", "application/json"],
  ["Authorization", "Bearer <data.TOKEN>"]
]
body
string
Request body with variable interpolationExample: "{\"email\":\"<input.USER>\",\"password\":\"<input.PASS>\"}"
body_type
BodyType
default:"None"
How to encode the request body:
  • None: No body
  • Standard: URL-encoded form data
  • Raw: Send body as-is
  • Multipart: Multipart form data
  • BasicAuth: Use basic authentication
content_type
string
default:"application/x-www-form-urlencoded"
Content-Type header value (only used with certain body types)
follow_redirects
boolean
default:"true"
Automatically follow HTTP redirects
max_redirects
number
default:"8"
Maximum number of redirects to follow
timeout_ms
number
default:"10000"
Request timeout in milliseconds
auto_redirect
boolean
default:"true"
Enable automatic redirect handling
basic_auth
tuple
Basic authentication credentials as [username, password]Example: ["admin", "password123"]
http_version
string
default:"HTTP/1.1"
HTTP version to use: HTTP/1.1, HTTP/2, or HTTP/3
response_var
string
default:"SOURCE"
Variable name prefix for response storage:
  • Response body → data.{response_var}
  • Headers → data.{response_var}.HEADERS
  • Cookies → data.{response_var}.COOKIES
  • Status → data.{response_var}.STATUS
  • URL → data.{response_var}.URL
custom_cookies
string
Custom cookies to send (one per line: name=value)Example:
session=abc123
csrf=xyz789
ssl_verify
boolean
default:"true"
Verify TLS certificates. Set to false for self-signed certs (not recommended for production)
cipher_suites
string
Dash-separated IANA cipher suite IDs to override browser defaultsExample: "4865-4866-4867-49195-49199-49196-49200-52393-52392"
tls_client
TlsClient
default:"RustTLS"
Which TLS/HTTP client to use:
  • RustTLS: Native Rust reqwest client (faster, standard HTTPS)
  • AzureTLS: Go sidecar with JA3/HTTP2 fingerprinting support
browser_profile
string
Browser profile for AzureTLS fingerprinting: chrome, firefox, safari, edgeLeave empty to inherit from pipeline-level settings
ja3_override
string
Per-block JA3 fingerprint override (AzureTLS only)Format: "TLSVersion,Ciphers,Extensions,EllipticCurves,EllipticCurvePointFormats"
http2fp_override
string
Per-block HTTP/2 fingerprint override (AzureTLS only)

Examples

Simple GET Request

{
  "block_type": "HttpRequest",
  "label": "Fetch User Profile",
  "settings": {
    "type": "HttpRequest",
    "method": "GET",
    "url": "https://api.example.com/users/<input.USER>",
    "headers": [
      ["Accept", "application/json"]
    ]
  }
}

POST with JSON Body

{
  "block_type": "HttpRequest",
  "label": "Login Request",
  "settings": {
    "type": "HttpRequest",
    "method": "POST",
    "url": "https://auth.example.com/login",
    "headers": [
      ["Content-Type", "application/json"],
      ["Accept", "application/json"]
    ],
    "body": "{\"email\":\"<input.USER>\",\"password\":\"<input.PASS>\"}",
    "body_type": "Raw",
    "content_type": "application/json"
  }
}

Request with Custom Cookies

{
  "block_type": "HttpRequest",
  "label": "Authenticated Request",
  "settings": {
    "type": "HttpRequest",
    "method": "GET",
    "url": "https://app.example.com/dashboard",
    "custom_cookies": "session=<data.SESSION_ID>\ncsrf=<data.CSRF_TOKEN>"
  }
}

Request with JA3 Fingerprinting

{
  "block_type": "HttpRequest",
  "label": "Fingerprinted Request",
  "settings": {
    "type": "HttpRequest",
    "method": "GET",
    "url": "https://protected-site.com/api",
    "tls_client": "AzureTLS",
    "browser_profile": "chrome",
    "http_version": "HTTP/2"
  }
}

Request with Basic Auth

{
  "block_type": "HttpRequest",
  "label": "API Request",
  "settings": {
    "type": "HttpRequest",
    "method": "GET",
    "url": "https://api.example.com/data",
    "basic_auth": ["<input.API_USER>", "<input.API_KEY>"]
  }
}

Response Variables

After execution, the block populates these variables (assuming default response_var: "SOURCE"):
  • data.SOURCE: Response body as text
  • data.RESPONSECODE: HTTP status code (e.g., "200", "404")
  • data.HEADERS: Response headers as string
  • data.COOKIES: Response cookies
  • data.ADDRESS: Final URL after redirects

TLS Fingerprinting

IronBullet supports two TLS client modes:

RustTLS (Default)

  • Native Rust implementation
  • Faster for standard HTTPS
  • No fingerprinting capabilities
  • Best for internal APIs and simple requests

AzureTLS

  • Go sidecar process with azuretls library
  • Supports JA3 TLS fingerprinting
  • Supports HTTP/2 fingerprinting
  • Custom cipher suites
  • Browser profile emulation
  • Best for bypassing bot detection

Best Practices

  1. Use variable interpolation for dynamic values instead of hardcoding
  2. Set appropriate timeouts to prevent hanging on slow servers
  3. Enable SSL verification in production (disable only for testing)
  4. Use custom response variables when making multiple requests to avoid overwriting data.SOURCE
  5. Choose the right TLS client: Use RustTLS for speed, AzureTLS for fingerprinting