OxiHTTP 0.2.0 — A Pure-Rust HTTP Stack to Replace the curl / OpenSSL World

The web speaks HTTP. Your Rust binary should be able to speak it back — without linking a single line of C.

Today we’re releasing OxiHTTP 0.2.0 — the COOLJAPAN Pure-Rust HTTP stack: an async client and server for HTTP/1.1, HTTP/2, and HTTP/3, packaged as one clean facade.

No curl. No OpenSSL. No native-tls. No FFI. No -sys crates. Just Rust, all the way down to the bytes on the wire — with transport security handled by OxiTLS, the COOLJAPAN Pure-Rust TLS stack.

Why OxiHTTP

HTTP is the one protocol almost every program eventually needs, and for decades the path of least resistance has run through C. Reach for an HTTP client and you reach for libcurl. Reach for TLS and you reach for OpenSSL. Suddenly your “pure Rust” project has a build-time C toolchain, a system library dependency, a fresh CVE feed to watch, and a cross-compilation story that gets harder every time you change targets.

The Rust ecosystem already softened this with the hyper / reqwest stack — but TLS there still routinely defers to native-tls (which is OpenSSL on most platforms) or to a crypto provider that drags native code in through the side door. The moment you want a single static binary, a WASM-friendly build, or a dependency tree you can actually audit, those native edges show up.

OxiHTTP exists to remove them entirely. Its default feature set contains no C, C++, or Fortran. Compression runs on oxiarc-deflate; TLS runs on oxitls. The result is an HTTP toolkit you can drop into any COOLJAPAN project — or any Rust project — and trust to stay pure.

What we built

OxiHTTP is a small workspace of focused crates that compose into one ergonomic facade:

1. oxihttp-core — the shared vocabulary. OxiHttpError, Body, CookieJar, ContentType, RequestBuilder, ResponseExt, HttpVersion, and the HeaderMapExt / UriExt extension traits that make headers and URIs pleasant to work with.
2. oxihttp-client — the async client. HTTP/1.1, HTTPS, and HTTP/2 over a hyper-util connection pool; configurable redirect and retry policies; global and per-request timeouts; HTTP CONNECT and SOCKS5 proxy support; auto-decompression; streaming downloads; and cookie handling.
3. oxihttp-server — the async server. A router with literal, /:param, and /*wildcard matching, plus nested and virtual-host routing; typed state injection; graceful shutdown; CORS; token-bucket rate limiting; static file serving; Server-Sent Events; and RFC 6455 WebSockets.
4. oxihttp — the facade. It re-exports the whole API and adds one-shot get / post / put / delete convenience functions, so the simple case stays one line.

Underneath, transport security is OxiTLS (a Pure-Rust, rustls-based stack) with the webpki-roots Mozilla trust store bundled in. Custom CA bundles and PEM/DER certificate loading are supported, and the client even allows per-request TLS overrides with custom trust anchors. There is no native-tls, no openssl, and no C-backed crypto in the default build.

Getting Started

Add the facade crate:

cargo add oxihttp

The simple case is a single call. The full case is a builder:

use oxihttp::prelude::*;

// One-shot GET
let resp = oxihttp::get("http://httpbin.org/get").await?;
println!("{}", resp.status());

// Full client with TLS and retries
let client = Client::builder()
    .with_tls()
    .with_retry(RetryPolicy::default())
    .build()?;

let body: serde_json::Value = client
    .get("https://httpbin.org/json")
    .send()
    .await?
    .json()
    .await?;

Serving is just as direct. Define routes, bind, and serve:

use oxihttp::prelude::*;

let router = Router::new()
    .get("/", |_req| async {
        ok_response("Hello, world!")
    })
    .post("/echo", |req| async move {
        let body = req.body_bytes().await?;
        Ok(Response::new(Full::from(body)))
    });

Server::builder()
    .bind("0.0.0.0:8080")
    .serve(router)
    .await?;

Both run on the Tokio async runtime, so they slot straight into any existing async application.

Highlights

• HTTP/1.1, HTTP/2, and HTTP/3 — modern protocol coverage; HTTP/3 rides on oxiquic-h3 for QUIC transport behind the h3 feature.
• Client and server in one stack — a unified vocabulary and a single facade for both sides of the connection.
• Pure-Rust TLS via OxiTLS — rustls-based, bundled Mozilla root store, custom CA bundles, per-request trust overrides, 0-RTT early data, and TLS key logging for Wireshark analysis.
• Resilient requests — configurable redirect policies, retry with exponential backoff, and connect/response timeouts at both the global and per-request level.
• Proxies — HTTP CONNECT for HTTPS-over-proxy and full SOCKS5 (RFC 1928/1929) with server-side DNS and auth.
• Streaming and cookies — Response::body_stream() for large downloads and automatic Set-Cookie parsing.
• A capable server — routing, typed state injection, graceful shutdown, CORS, rate limiting, static files with ETag and byte-range support, SSE, WebSockets, and mTLS.
• Tower integration — the client and server speak tower::Service / Layer, with built-in logging, request-id, and timing middleware.
• Pure-Rust compression — gzip/deflate through oxiarc-deflate; flate2, zstd, and brotli never enter the tree.

Tips

• Start minimal. The default feature set is client + server only — everything else is opt-in, which keeps your dependency tree lean. Add capabilities as you need them.
• Turn on TLS deliberately. HTTPS lives behind the tls feature: cargo add oxihttp --features tls. That pulls in OxiTLS with the bundled Mozilla roots; call .with_tls() on the client builder to activate it.
• Reach for all when exploring. The all feature enables every capability (TLS, compression, decompression, static files, SSE, tower, WebSocket, SOCKS, and HTTP/3) in one shot — handy for prototyping before you trim back.
• HTTP/3 needs TLS 1.3. The h3 feature uses oxiquic-h3, and QUIC mandates TLS 1.3 — so make sure a valid TLS configuration is in place before enabling it.
• Debug encrypted traffic the right way. Use the client’s TLS key-logging support (with_key_log_file()) to decrypt your own sessions in Wireshark or tcpdump instead of disabling TLS to inspect them.
• Coming from reqwest? The crate ships an oxihttp::migration rustdoc module mapping common reqwest patterns to their OxiHTTP equivalents.

Part of the COOLJAPAN ecosystem

OxiHTTP is part of NoFFI — the COOLJAPAN initiative to replace every C/C++/Fortran/-sys FFI dependency in the Rust world with a clean, memory-safe, 100% Pure Rust implementation. OxiHTTP retires the curl / OpenSSL-backed HTTP stack and offers a sovereign alternative to the hyper / reqwest ecosystem.

It stands shoulder to shoulder with its siblings: OxiTLS for transport security, OxiQUIC for QUIC/HTTP-3 transport, and OxiARC for compression. Together they form a networking stack with no native edges — one you can compile to a single static binary, ship to WASM, and audit end to end.

Repository: https://github.com/cool-japan/oxihttp

Star the repo if a curl-free, OpenSSL-free HTTP stack is something you’ve been waiting for. 🦀

Pure Rust HTTP — sovereign, safe, and FFI-free.

— KitaSan at COOLJAPAN OÜ June 23, 2026