Allow scripts to access HttpEnabled

As a Roblox developer, it is currently too hard to effectively check to see if HttpEnabled is set to true or false. Some hacks are done by sending a GetAysnc() request to a website like Google or even the one that data needs to be sent to. While this accomplishes what is needed, it could impact games that are quite heavy on using HttpService. Thus, as the title suggestions, I’m requesting that scripts should be able to read HttpEnabled, but not change it for obvious reasons. If Roblox would be able to address this issue, it would improve the development experience as it’ll be a lot easier to check if HttpEnabled is true or false. Due to such, one could easily think of a fairly long list of use cases, with the main examples being admin scripts and other free models that send and/or retrieve data via HttpService.


I’d suggest you change this to “Allow scripts to access HttpEnabled” and remove the additional property aspect.

I mean, using the “hack” once works, no? Only 1 out of 500 HTTP requests.

local HttpEnabled = pcall(game.HttpService.GetAsync, game.HttpService, '');

My personal approach.


While the hack to detect if it’s enabled is simple, a hack still shouldn’t be done to determine if it’s enabled or not. What if, on the extremely rare chance, that Google is down. It would return a false positive to your check, which would ruin the entire script in question.


I root for the change too, but I mean in the meantime we have a stable solution we can use until this is taken care of, as often times you only need this check when your content is going to be used by a third party, too.

That only works once, for say a plugin requires HttpService to be enabled, you need to call that once, then check if it’s enabled; if not, repeat pcall(getAsync()) until desiredResult

Try sending a request to a url such as “a” instead. The engine will see that this cannot be a valid URL in any way and returns immediately with the error (doesn’t even attempt to send a request). The error is different depending on whether HttpEnabled is on/off.

It’s still a hack so I agree with the feature requests, although I have to wonder why they made it this way in the first place.

HttpEnabled is off:

local stat, err = pcall(game.HttpService.GetAsync, game.HttpService, 'a')

Http requests are not enabled. Enable via game settings

HttpEnabled is on:

local stat, err = pcall(game.HttpService.GetAsync, game.HttpService, 'a')

a: Trust check failed


function isHttpEnabled()
   local _, err = pcall(game:GetService("HttpService").GetAsync, game.HttpService, 'a')
   return (err:lower():find("trust check failed") ~= nil) -- little bit more future-proof

If I recall correctly the reason they did this is because malicious scripts could easily steal your place and upload the game data to a remote server right under the game developer’s nose. I’m pretty sure even plugins can’t touch HttpEnabled for this reason.

1 Like

The feature request is to allow querying the property, so there should be no security risk.

Oh my, I’m blind.

1 Like

I would most like this as a getter, a method in HttpService like :IsEnabled() rather than setting the property to accessible, even if read-only. Not the kind of property you want to take risks with.

There are no security risks with read-only properties opening doors to make the property writable.


Is there actually any source how Roblox implements their properties? In the standard C++ setups I have seen I would think it is the difference between setting the property to private within the class instead of public or declaring a different class a friend. If they do internally keep the property private I do not think it makes a difference, however this is something I do not know and would love to know.

See above.


But is it only possible to blackbox behavior or is there any actual source of Roblox classes available? Perhaps doxygen or similar documentation of the actual class files.

I believe there is no public source to how properties work, but this is just an example of what is currently possible, which could solve the current issue.

This should be possible now that the ScriptWriteRestricted context exists. Applying this to HttpEnabled would allow it to be readable by everything, but writable only by high-privilege identities.

Bump. I’m still not sure why server scripts STILL cannot read the property HttpEnabled of HttpService six years later, while the command bar can edit and read this value. As the OP said, you can make a request to google but this has its own set of issues, if google rejects the request or is down (somehow) then it will fail, although you could add a retry method this just takes more requests of the 500 each game server has per minute.

buildthomas’s method does not work anymore, as HttpService now errors with URL must be http, of course you could try https://a, but this just sends another request and just replies with a DnsResolve error.

If you think this would come as a security risk, you can literally check if its enabled with the methods above although it uses request(s).

Over-all this would be a great engine feature to have, and locking the property behind LocalUser capability doesn’t really make sense.

Thank you @TheTrollock for the reply, I will be using that from now on unless this feature is added, though it is still painful to use a “hacky” method just to check if HttpService is enabled. (Edit: I did not realize at first that no request is sent)

1 Like

You can fix his method by sending a request to instead. If http is enabled, it will not send a request and error immediately; if http is disabled, it will error with the usual message:

local http = game:GetService("HttpService")
local function isHttpEnabled()
    local _, err = pcall(http.GetAsync, http, "")
    return err:lower():find("is not allowed to access roblox resources") ~= nil
1 Like

Did you mean == nil instead of ~= nil?