The Fix
Upgrade to version 0.14.0 or later.
Based on closed encode/httpx issue #1102 · PR/commit linked
@@ -113,7 +113,6 @@ The HTTPX project relies on these excellent libraries:
* `certifi` - SSL certificates.
* `chardet` - Fallback auto-detection for response encoding.
-* `hstspreload` - determines whether IDNA-encoded host should be only accessed via HTTPS.
* `idna` - Internationalized domain name support.
* `rfc3986` - URL parsing & normalization.
Option A — Upgrade to fixed release\nUpgrade to version 0.14.0 or later.\nWhen NOT to use: This fix is not suitable if HSTS preloading is required for specific security policies.\n\n
Why This Fix Works in Production
- Trigger: Users may experience unexpected behavior when HSTS preloading is enforced on server-side clients.
- Mechanism: HSTS preloading was introduced but is no longer relevant due to HTTPX requiring schemas on URLs
- Why the fix works: Drops HSTS preloading from HTTPX, addressing concerns raised in issue #1102. (first fixed release: 0.14.0).
Why This Breaks in Prod
- HSTS preloading was introduced but is no longer relevant due to HTTPX requiring schemas on URLs
- Production symptom (often without a traceback): Users may experience unexpected behavior when HSTS preloading is enforced on server-side clients.
Proof / Evidence
- GitHub issue: #1102
- Fix PR: https://github.com/encode/httpx/pull/1110
- First fixed release: 0.14.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.69
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“My vote is for Add a toggle so that HSTS preload becomes opt-in, though for 1.0 it might be better to reduce the surface area…”
Failure Signature (Search String)
- Users may experience unexpected behavior when HSTS preloading is enforced on server-side clients.
Copy-friendly signature
Failure Signature
-----------------
Users may experience unexpected behavior when HSTS preloading is enforced on server-side clients.
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Users may experience unexpected behavior when HSTS preloading is enforced on server-side clients.
What Broke
Users may experience unexpected behavior when HSTS preloading is enforced on server-side clients.
Why It Broke
HSTS preloading was introduced but is no longer relevant due to HTTPX requiring schemas on URLs
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.14.0 or later.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/encode/httpx/pull/1110
First fixed release: 0.14.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix is not suitable if HSTS preloading is required for specific security policies.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.14.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.