HttpSecurityPinningClient class

An implementation of Dart's HttpClient that enforces certificate pinning.

This client ensures that connections are only made to servers presenting certificates with a Subject Public Key Info (SPKI) that matches one of the provided spkiHashes.

It works as a wrapper around a standard HttpClient, intercepting connection creation to inject a custom SecurityContext with the pinned certificates.

If the server's certificate chain does not match any of the provided pins, the connection will fail, throwing a NoValidPinsFoundException before the request is sent.

Example usage with package:http:

final secureClient = IOClient(HttpSecurityPinningClient(
  ["YOUR_SPKI_HASH_HERE"],
));
final response = await secureClient.get(Uri.parse('https://example.com'));

Implemented types

HttpClient

Constructors

HttpSecurityPinningClient(List<String> spkiHashes, {Duration timeout = const Duration(seconds: 10), int retryCount = 3}): Creates a new HttpClient that enforces certificate pinning.

Properties

authenticate ← Future<bool> Function(Uri url, String scheme, String? realm)?: Sets the function to be called when a site is requesting authentication.
no getteroverride
authenticateProxy ← Future<bool> Function(String host, int port, String scheme, String? realm)?: Sets the function to be called when a proxy is requesting authentication.
no getteroverride
autoUncompress ↔ bool: Gets and sets whether the body of a response will be automatically uncompressed.
getter/setter pairoverride
badCertificateCallback ← bool Function(X509Certificate cert, String host, int port)?: Sets a callback that will decide whether to accept a secure connection with a server certificate that cannot be authenticated by any of our trusted root certificates.
no getteroverride
connectionFactory ← Future<ConnectionTask<Socket>> Function(Uri url, String? proxyHost, int? proxyPort)?: Sets the function used to create socket connections.
no getteroverride
connectionTimeout ↔ Duration?: Gets and sets the connection timeout.
getter/setter pairoverride
findProxy ← String Function(Uri url)?: Sets the function used to resolve the proxy server to be used for opening an HTTP connection to the specified url. If this function is not set, direct connections will always be used.
no getteroverride
hashCode → int: The hash code for this object.
no setterinherited
idleTimeout ↔ Duration: Gets and sets the idle timeout of non-active persistent (keep-alive) connections.
getter/setter pairoverride
keyLog ← void Function(String line)?: Sets a callback that will be called when new TLS keys are exchanged with the server. It will receive one line of text in NSS Key Log Format for each call. Writing these lines to a file will allow tools (such as Wireshark) to decrypt communication between the this client and the server. This is meant to allow network-level debugging of secure sockets and should not be used in production code. For example:
no getteroverride
maxConnectionsPerHost ↔ int?: Gets and sets the maximum number of live connections, to a single host.
getter/setter pairoverride
retryCount → int: The number of times to retry fetching the certificate chain upon failure.
final
runtimeType → Type: A representation of the runtime type of the object.
no setterinherited
timeout → Duration: The timeout for fetching the certificate chain from the native platform.
final
userAgent ↔ String?: Gets and sets the default value of the User-Agent header for all requests generated by this HttpClient.
getter/setter pairoverride

Methods

addCredentials(Uri url, String realm, HttpClientCredentials credentials) → void: Add credentials to be used for authorizing HTTP requests.
override
addProxyCredentials(String host, int port, String realm, HttpClientCredentials credentials) → void: Add credentials to be used for authorizing HTTP proxies.
override
close({bool force = false}) → void: Shuts down the HTTP client.
override
delete(String host, int port, String path) → Future<HttpClientRequest>: Opens an HTTP connection using the DELETE method.
override
deleteUrl(Uri url) → Future<HttpClientRequest>: Opens an HTTP connection using the DELETE method.
override
get(String host, int port, String path) → Future<HttpClientRequest>: Opens an HTTP connection using the GET method.
override
getUrl(Uri url) → Future<HttpClientRequest>: Opens an HTTP connection using the GET method.
override
head(String host, int port, String path) → Future<HttpClientRequest>: Opens an HTTP connection using the HEAD method.
override
headUrl(Uri url) → Future<HttpClientRequest>: Opens an HTTP connection using the HEAD method.
override
noSuchMethod(Invocation invocation) → dynamic: Invoked when a nonexistent method or property is accessed.
inherited
open(String method, String host, int port, String path) → Future<HttpClientRequest>: Opens an HTTP connection.
override
openUrl(String method, Uri url) → Future<HttpClientRequest>: Opens an HTTP connection.
override
patch(String host, int port, String path) → Future<HttpClientRequest>: Opens an HTTP connection using the PATCH method.
override
patchUrl(Uri url) → Future<HttpClientRequest>: Opens an HTTP connection using the PATCH method.
override
post(String host, int port, String path) → Future<HttpClientRequest>: Opens an HTTP connection using the POST method.
override
postUrl(Uri url) → Future<HttpClientRequest>: Opens an HTTP connection using the POST method.
override
put(String host, int port, String path) → Future<HttpClientRequest>: Opens an HTTP connection using the PUT method.
override
putUrl(Uri url) → Future<HttpClientRequest>: Opens an HTTP connection using the PUT method.
override
toString() → String: A string representation of this object.
inherited

Operators

operator ==(Object other) → bool: The equality operator.
inherited

Static Methods

clearCache() → void: Clears the static cache of fetched certificates.