== How to fix it in HTTPX

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,python,diff-id=21,diff-type=noncompliant]
----
from fastapi import FastAPI
import httpx

app = FastAPI()

@app.get('/example')
def example(url: str):
    r = httpx.get(url)  # Noncompliant
    return {"response": r.text}
----

==== Compliant solution

[source,python,diff-id=21,diff-type=compliant]
----
from fastapi import FastAPI
from fastapi.responses import JSONResponse
import httpx
from urllib.parse import urlparse

DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com']
app = FastAPI()

@app.get('/example')
def example(url: str):
    if not urlparse(url).hostname in DOMAINS_ALLOWLIST:
        return JSONResponse({"error": f"URL {url} is not whitelisted."}, 400)

    r = httpx.get(url)
    return {"response": r.text}
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]

The compliant code example uses such an approach.
HTTPX implicitly validates the scheme as it only allows `http` and `https` by default.

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]