HTTPoison vs HTTPotion


#1

I suppose this question is effectively hackney vs. ibrowse but we are at a point in our project where we have to make a choice between the 2 (or maybe there is a 3rd somebody wants to highlight?)

Just wondering if anybody has any constructive reasons as to why they would use one over the other?


Reliable HTTP libraries? (HTTPoison, HTTPotion, Tesla)?
#2

I have found Tesla to have a friendlier API


#3

Haven’t seen this before - looks pretty cool in that you can switch out and test other adapters.


#4

In my experience most people use Poison.


#5

This is reflected in the Github :star: count but would still be nice to have some opinions on why that is, would be interesting to read a non-biased blog post pitting the 2 against each other in benchmarks and analysing some KPI’s relevant to a library/application of this nature.


#6

This performance analysis is interesting, especially if HTTPotion by default isn’t running an “optimized” ibrowse - perhaps the optimization itself (increased session count to 300 and max pipeline count to 1) is irrelevant for anything but benchmarks.

The README does a very bad job of explaining exactly what these results mean to the developer.

I am inclined to go with HTTPoison based on the results of this alone.


#7

HTTPoison (actually, Hackney) comes with secure HTTPS defaults. Last time I checked other HTTP clients, including HTTPotion/iBrowse, will happily let you pass in an HTTPS URL and connect to the server without any verification of the server’s certificate chain or identity (hostname). Basically they obscure the communication to avoid eavesdropping, but they don’t protect against MitM attacks unless you explicitly pass in all the right TLS configuration options.


#8

I can attest to this. We have a Ubiquity thing here that mandates HTTPS for its api connection, but it uses a self-signed cert, thus I had to disable HTTPoisons/Hackneys checking. ^.^


#9

That’s probably one of the best reasons I have come across in favour of HTTPoison.


#10

Decided to write a blog post on the security posture of Elixir HTTPS clients. Linked here for future readers of this post:
https://blog.voltone.net/post/7


#11

Tesla looks really nice, with a clean API. :thumbsup: