httpFetch(url, [options]) Last updated: 23. Jun 2026
API only function
Calls a URL and returns the full HTTP response — status code, response headers and the raw, unparsed body — unlike httpGet, which returns only the JSON-parsed body. Use it to inspect any web page or API: security headers, HTTP→HTTPS redirects, raw HTML, compression and timing. gzip/deflate/br bodies are decompressed automatically while the original content-encoding header is kept. On failure it returns { DoclyError: "..." } instead of throwing.
See also: httpGet httpPost httpFormPost Calling external APIs
Parameters
| Name | Type | Description |
|---|---|---|
| url | string | URL to call. |
| options (optional) | object | Specify any of the following options parameters: |
| • options | object | Request options (see the Options table below). All fields optional. Fields: method (string, default "GET") HTTP method (GET, HEAD, POST, PUT, DELETE, ...); headers (object) name/value object converted to HTTP request headers; body (string | object) request body, objects are serialized to JSON; contentType (string, default "application/json") Content-Type used when a body is sent; followRedirects (bool, default true) follow 3xx redirects, set false to inspect the location header yourself (e.g. detect HTTP→HTTPS); timeoutMs (number, default 10000) request timeout in milliseconds, clamped to 1000–60000; maxBodyBytes (number, default 2000000) max body bytes returned, clamped to 1024–10000000, larger bodies are cut and truncated is set; blockPrivateNetworks (bool, default false) when true, blocks requests whose host resolves to a loopback / private / link-local address (SSRF guard), only the initial URL is checked, not each redirect hop. |
Returns
Returns an object with the full response:
| Field | Description |
|---|---|
ok | true for 2xx status codes |
status | HTTP status code |
statusText | HTTP status text |
url | Final URL (after redirects) |
redirected | true if any redirect was followed |
timeMs | Request duration in milliseconds |
headers | Response headers (keys lower-cased) |
contentType | Response Content-Type |
contentEncoding | Original content-encoding header |
contentLength | Content length |
truncated | true if the body was cut to maxBodyBytes |
body | Raw, unparsed response body |
On error: { DoclyError }.
Example
Code example (JS)
JS is normal JavaScript either running in the browser or on the Docly™ server.// Fetch a page with the full response (raw HTML + headers)
var r = docly.httpFetch("https://somewebsite.com", {
followRedirects: true,
timeoutMs: 10000
});
// Handle error
if (r.DoclyError) throw new Error(r.DoclyError);
// Inspect security headers (keys are lower-cased)
var hasHsts = !!r.headers["strict-transport-security"];
var hasCsp = !!r.headers["content-security-policy"];
// Inspect the raw HTML body
var isWordPress = r.body.indexOf("wp-content") >= 0;
return JSON.stringify({
status: r.status,
timeMs: r.timeMs,
hsts: hasHsts,
csp: hasCsp,
wordpress: isWordPress
});