worldcoin · pophilpo · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -25,7 +25,7 @@ pub enum Error {
 pub fn client() -> &'static Client {
     static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
     CLIENT.get_or_init(|| {
-        let builder = orb_security_utils::reqwest::http_client_builder()
+        let builder = orb_security_utils::reqwest::client_builder()
             .timeout(std::time::Duration::from_secs(60))
             .user_agent(USER_AGENT);
         #[cfg(test)]

@@ -0,0 +1,6 @@
+disallowed-methods = [
+	{ path = "reqwest::Client::builder", reason = "use orb_security_utils::reqwest::client_builder() instead" },
+	{ path = "reqwest::Client::new", reason = "use orb_security_utils::reqwest::client_builder().build() instead" },
+	{ path = "reqwest::blocking::Client::builder", allow-invalid = true, reason = "use orb_security_utils::reqwest::blocking::client_builder() instead" },
+	{ path = "reqwest::blocking::Client::new", allow-invalid = true, reason = "use orb_security_utils::reqwest::blocking::client_builder().build() instead" },
+]
@@ -1,4 +1,5 @@
 //! Download functionality for various sources of artifacts.
+#![allow(clippy::disallowed_methods)]
 
 use color_eyre::{eyre::WrapErr, Result};
 use octocrab::Octocrab;

@@ -1,3 +1,5 @@
+// Allow regular reqwest builder without HTTPS enforsement
+#![allow(clippy::disallowed_methods)]
 mod http_handler;
 use color_eyre::eyre::{Context, Result};
 use http_handler::{download, info, upload};

@@ -1,3 +1,5 @@
+// Allow regular reqwest builder without HTTPS enforsement
+#![allow(clippy::disallowed_methods)]
 use std::collections::BTreeSet;
 use std::time::Duration;
 

@@ -1,3 +1,5 @@
+// Allow regular reqwest builder without HTTPS enforsement
+#![allow(clippy::disallowed_methods)]
 use async_tempfile::TempFile;
 use fixture::Fixture;
 use iroh_blobs::{store::fs::FsStore, Hash};

@@ -1,3 +1,4 @@
+#![allow(clippy::disallowed_methods)]
 use async_tempfile::TempFile;
 use fixture::Fixture;
 use iroh_blobs::{

@@ -1,3 +1,5 @@
+// Allow regular reqwest builder without HTTPS enforsement
+#![allow(clippy::disallowed_methods)]
 use async_tempfile::TempFile;
 use fixture::Fixture;
 use iroh::{NodeAddr, SecretKey};

@@ -32,6 +32,7 @@ orb-info = { workspace = true, features = [
 	"orb-token",
 ] }
 orb-dogd.workspace = true
+orb-security-utils = { workspace = true, features = ["reqwest"] }
 orb-telemetry = { workspace = true, features = ["otel", "zbus-tracing"] }
 orb-update-agent-dbus.workspace = true
 reqwest = { workspace = true, features = ["json"] }
@@ -57,6 +58,7 @@ zbus = { workspace = true, default-features = false, features = ["tokio"] }
 zenorb.workspace = true
 
 [dev-dependencies]
+orb-security-utils = { workspace = true, features = ["reqwest", "allow-http"] }
 dbus-launch.workspace = true
 eyre.workspace = true
 portpicker = "0.1.1"

@@ -71,7 +71,7 @@ impl StatusClient {
                     .retry_bounds(min_req_retry_interval, max_req_retry_interval)
                     .build_with_max_retries(3);
 
-                let reqwest_client = reqwest::Client::builder()
+                let reqwest_client = orb_security_utils::reqwest::client_builder()
                     .timeout(req_timeout)
                     .user_agent("orb-backend-status")
                     .build()

@@ -31,6 +31,7 @@ num-traits.workspace = true
 oes.workspace = true
 orb-backend-status-dbus.workspace = true
 orb-build-info.workspace = true
+orb-security-utils = { workspace = true, features = ["reqwest"] }
 orb-connd-dbus.workspace = true
 orb-dogd.workspace = true
 orb-info = { workspace = true, features = ["orb-os-release", "async"] }

@@ -21,6 +21,6 @@ ipv6.route-metric=500
 
 [connectivity]
 enabled=true
-uri=http://connectivity-check.worldcoin.org
+uri=https://connectivity-check.worldcoin.org
 interval=300
 response=
@@ -17,9 +17,9 @@ impl ConnHttpCheck {
     /// iface will default to default route if `None` is passed as arg
     pub async fn run(connectivity_uri: &str, iface: Option<&str>) -> Result<Self> {
         let client = if let Some(iface) = iface {
-            reqwest::Client::builder().interface(iface)
+            orb_security_utils::reqwest::client_builder().interface(iface)
         } else {
-            reqwest::Client::builder()
+            orb_security_utils::reqwest::client_builder()
         }
         .timeout(Duration::from_secs(5))
         .build()?;

@@ -41,7 +41,7 @@ where
     }
 
     pub fn default_reqwest_client(self) -> Result<ClientBuilder<SetClient<S>>> {
-        let client = orb_security_utils::reqwest::http_client_builder()
+        let client = orb_security_utils::reqwest::client_builder()
             .user_agent(USER_AGENT)
             .build()
             .wrap_err("failed to create http client")?;

@@ -15,6 +15,8 @@ pub struct Harness {
 }
 
 impl<S: hb::State> HarnessBuilder<S> {
+    // local_backend uses http://localhost — plain reqwest client is intentional here.
+    #[allow(clippy::disallowed_methods)]
     pub fn build(self) -> (Harness, orb_se050_reprovision::Config)
     where
         S: hb::IsComplete,

@@ -13,6 +13,9 @@ rust-version.workspace = true
 [features]
 blocking = ["reqwest/blocking"]
 reqwest = ["dep:reqwest"]
+# Disables https_only enforcement. Only intended for use in dev-dependencies
+# of crates that spin up local HTTP test servers.
+allow-http = []
 
 [dependencies]
 eyre = "0.6"

@@ -151,9 +151,9 @@ macro_rules! helper {
     ($builder:expr, $certs:expr) => {{
         let certs = $certs;
         $builder
-            .min_tls_version(reqwest::tls::Version::TLS_1_2)
+            .min_tls_version(reqwest::tls::Version::TLS_1_3)
             .tls_built_in_root_certs(false)
-            .https_only(true)
+            .https_only(!cfg!(feature = "allow-http"))
             .add_root_certificate(certs.aws_root_ca1.clone())
             .add_root_certificate(certs.aws_root_ca2.clone())
             .add_root_certificate(certs.aws_root_ca3.clone())
@@ -167,7 +167,8 @@ macro_rules! helper {
     }};
 }
 
-pub fn http_client_builder() -> ClientBuilder {
+#[allow(clippy::disallowed_methods)]
+pub fn client_builder() -> ClientBuilder {
     let certs = get_certs();
     helper!(Client::builder(), certs)
 }
@@ -178,7 +179,8 @@ pub mod blocking {
 
     use super::get_certs;
 
-    pub fn http_client_builder() -> ClientBuilder {
+    #[allow(clippy::disallowed_methods)]
+    pub fn client_builder() -> ClientBuilder {
         let certs = get_certs();
         helper!(Client::builder(), certs)
     }

@@ -25,6 +25,7 @@ color-eyre.workspace = true
 flate2.workspace = true
 orb-attest-dbus.path = "../attest/dbus"
 orb-build-info.workspace = true
+orb-security-utils = { workspace = true, features = ["reqwest"] }
 orb-info.path = "../orb-info"
 rand.workspace = true
 reqwest = { workspace = true, features = ["multipart", "stream", "json"] }

@@ -94,7 +94,9 @@ struct PackageRequest<'a> {
 
 pub async fn run_speed_test(test_size_bytes: usize) -> Result<SpeedTestResults> {
     let timeout = Duration::from_secs(CLOUDFLARE_TIMEOUT_SECS);
-    let client = reqwest::Client::builder().timeout(timeout).build()?;
+    let client = orb_security_utils::reqwest::client_builder()
+        .timeout(timeout)
+        .build()?;
 
     let upload_result = probe_upload(&client, test_size_bytes, timeout).await?;
     let download_result = probe_download(&client, test_size_bytes, timeout).await?;
@@ -333,7 +335,7 @@ async fn request_presigned_url(
         id_commitment: "mock_id_commitment",
     };
 
-    let client = reqwest::Client::builder()
+    let client = orb_security_utils::reqwest::client_builder()
         .timeout(Duration::from_secs(PCP_TIMEOUT_SECS))
         .build()?;
 
@@ -380,7 +382,7 @@ async fn upload_to_presigned_url(
 
     form = form.part("file", file_part);
 
-    let client = reqwest::Client::builder()
+    let client = orb_security_utils::reqwest::client_builder()
         .timeout(Duration::from_secs(PCP_TIMEOUT_SECS))
         .build()?;
 

@@ -74,13 +74,17 @@ pub fn download(
 }
 
 /// Creates an HTTP client with security settings similar to the update-agent
+// update-agent-loader intentionally uses system certs rather than pinned CAs.
+#[allow(clippy::disallowed_methods)]
 fn create_client() -> Result<Client, DownloadError> {
     // Compile-time assertion to ensure allow_http feature isn't enabled in release mode
     #[cfg(all(feature = "allow_http", not(debug_assertions)))]
     compile_error!("The 'allow_http' feature cannot be enabled in release mode for security reasons");
 
     let builder = Client::builder()
         .tls_built_in_root_certs(true)
+        .min_tls_version(reqwest::tls::Version::TLS_1_3)
+        .redirect(reqwest::redirect::Policy::none())
         .user_agent(concat!(
             env!("CARGO_PKG_NAME"),
             "/",

@@ -20,6 +20,8 @@ pub fn normal() -> Result<&'static Client, Error> {
     INSTANCE.get_or_try_init(initialize)
 }
 
+// update-agent intentionally uses system certs rather than pinned CAs — see comment below.
+#[allow(clippy::disallowed_methods)]
 fn initialize() -> Result<Client, Error> {
     // We explicitly do not pin certificates and default to using the system's
     // root CAs in the update-agent.