Custom adapters are powerful and risky. Neutrx can validate request config before an adapter runs and parse/redact errors after a response returns, but it cannot inspect redirects, DNS, TLS, proxy behavior, or retries that a custom adapter performs internally.
Use built-in adapters for security-sensitive traffic whenever possible.
A custom adapter must:
config.url exactly as passed unless it returns control to Neutrx for redirects.config.signal, config.timeout, maxBodyLength, or maxContentLength semantics without documenting why.config on the returned RawHttpResponse.legacy security settings as trusted migration-only settings.createSecureAdapter() adds lightweight invariants around a custom adapter:
import neutrx, { createSecureAdapter } from 'neutrx';
const api = neutrx.create({
adapter: createSecureAdapter(async config => {
return {
status: 200,
statusText: 'OK',
headers: { 'content-type': 'application/json' },
data: Buffer.from('{}'),
config,
};
}),
});
The wrapper rejects:
response.config.url differs from the request URL.Location header unless allowRedirectResponses is set.This wrapper does not make a custom adapter equivalent to Neutrx’s Node HTTP adapter. DNS pinning, TLS policy, and proxy safety must still be implemented by the adapter or avoided by using built-in adapters.
Avoid custom adapters for:
For those cases, prefer adapter: 'http' with security.profile: 'strict' and an egressPolicy.