HttpService Custom Headers Are Now Live

This update consists of adding a Variant argument to the end of HttpService’s GetAsync and PostAsync methods. Users can now specify specific header keys and values when making Http get and post requests.

The format for headers is expected to be something like this:
local headers = {
[“Authorization”] = “MyAuthorizationCode”,
[“My-Custom-Http-Header”] = “sdoisfdlksdjkfd”,
}

One thing to note, if you’re using the Authorization header you should probably wrap it in a pcall just in case we need to suddenly turn this feature off. Http service will return an “Unauthorized” error in the case of authorization failure, which will definitely be the case if this feature is disabled.

45 Likes

Mayday mayday. We have achieved freedom.

This will allow some nice new stuff like uploading to pastebin (without using a proxy)

EDIT: I’ve mentioned one of the few things that don’t require headers… gg

3 Likes

I’m fairly sure you can already upload to pastebin from ROBLOX without needing custom headers.

1 Like

I don’t use HttpService often just because everything generally requires proxies, but this update sounds interesting. Would anyone mind posting lists of cool things I can do with this (that don’t require a proxy)?

1 Like

Discord uses websockets though, so not sure that will be possible entirely, at least not receiving chat events.

Should be able to, yep.

1 Like

Yeah, most API stuff is just posting to some url with the right Authorization header and JSON body.
Although, some methods use PATCH/DELETE instead of POST/GET, so that’s a bit… annoying…
(although those are probably not the things you wanna do, except when deleting a previous message)

2 Likes

So a more direct google analytics?

2 Likes

If you do please let me know how, if you are willing.

Investigating GameAnalytics.com now. Woo.

3 Likes

The test I ran to make sure it works was actually communicating with GameAnalytics.com. It used default values, because I didn’t want to write whatever SHA hash something conversion for authentication in Lua. If you ever get that working you should let me know. :wink:

3 Likes

Can anyone explain what this actually means? I’ve used httpservice with my database, but beyond what I had to learn with that, I don’t know about interacting with websites. What can headers do?

I’m interested in getting this working too, so I put together some stuff I found on the internet to get authentication working. Here is a model.

I got the test string working, so this should be able to get authentication in general working. This uses lockbox for HMAC and SHA2-256, and bit numberlua for the bit library.

Also, @Ozzypig since you’re probably interested as well.

3 Likes

Basically for website logins and apis, they use the Authorization header, so basically for an example, you could use some of Discord’s APIs using that header. so you could send messages or something to discord.

Another good example of what could be possible, is integration with twitch.

Thanks for the explanation, though Im not too sure what it means yet. Is this basically a way of sending data to specific parts of a page that you couldnt before, like filling in a username/password?

1 Like

Its similar to sending post data but not through a form. Think of them like parameters to a HTTP request where you can define any of them and not in any particular order.
For instance, some web requests use Authorization header with an authentication token to verify the sender and some use the Accept header to tell it the format to respond with, so sending “application/json” as the Accept header would request that data is sent back as JSON, even if the default is XML. But allowing for these headers to be used is purely up to the person hosting the server you request from.

If you want to know the current headers:

1 Like

Does the headers table allow for any header, or is there a restriction? If there isn’t a restriction, we should (in theory) be able to use X-HTTP-Method-Override to simulate requests which aren’t GET or POST.

There are a few restrictions. It will properly tell you if you can’t use a specific header if you try to use it.The method override one shouldn’t be on the restricted list.

1 Like

blob.png

Well well well… Hopefully there’s a solution for this already… right?

Edit: This fixed it

:gsub("%%%x%x", function(match) return string.char(tonumber(match:sub(2), 16)) end)

on the auth header

1 Like

This allows you to send the desired header with the ‘%’ character in it for authentication and everything works fine and you’re able to properly authenticate?