NodeScript · Docs

# Fetch vs. Http Request

Integrating services is typically achieved by sending HTTP requests to the corresponding servers (commonly referred to as "API", short for "Application Programming Interface"). This is done either to retrieve the data or to send a command for the server to do something, for example, update a record or send an email.

NodeScript provides two modules for sending HTTP Requests: Web / Fetch and Web / Http Request.

Web / Fetch, as its name suggests, uses standard Fetch API (opens new window) to send the request directly, whereas Http Request module forwards a request through a backend. Even though this sounds like an implementation detail, in practice there are important differences as is outlined below.

# Cross Origin Restrictions

When used inside the browser (e.g. in the editor), Fetch can only send requests to the web services that implement a very unrestrictive Cross Origin Resource Sharing policy (CORS) (opens new window).

Services typically implement strict CORS policies by allowing only a particular set of web origins to send the authenticated requests to their APIs using the web browser. This is done to prevent certain attack vectors as well as to discourage the external API clients from using insecure practices like storing the credentials on the client.

It is highly advisable to become familiar with Security on the web if you wish to learn more on the subject.

Because of this most services will reject authenticated Fetch requests sent by the browser from an unknown origin (such as NodeScript editor). It is a good thing that they do, because otherwise an attacker could steal your sensitive data like cookies and use them to impersonate you on that service.

On the other hand, Http Request module forwards the requests through its own backend (opens new window). Since NodeScript backend doesn't have the same origin as the target service, browser will never implicitly send sensitive information like cookies to it, making this solution safe and secure.

Conceptually Http Request is not too different from command line tools like cURL or any other HTTP client library available on the backend. Also, the above restrictions do not apply to the endpoints and schedules — those are using backend runtime without same-origin restrictions.

# Features

Fetch API (opens new window) is a web standard created predominantly for the web browsers, so feature-wise it is limited to what browsers can do.

Specifically with Web / Fetch,

  • you cannot send custom HTTP headers, unless they are explicitly allowed by target service's CORS policies (via Access-Control-Allow-Headers)
  • you cannot modify, add or remove Forbidden headers (opens new window) such as Referer or Sec-*
  • you cannot use a custom proxy server
  • you cannot control how HTTP redirects (opens new window) are handled
  • you cannot use custom CA certificates to communicate with the trusted services using self-signed SSL certificates

If you encounter any of the above limitation, please use Http Request module.

# Performance

Fetch is naturally much faster than Http Request simply because there are fewer steps to go through. Even though NodeScript's Fetch Backend (opens new window) is very performant, there are still inherent costs associated with TLS and parsing HTTP payloads.

For that reason, always prefer Fetch if you're not using any features that would otherwise make Fetch unfeasible, such as authenticated requests, custom headers or proxies.