From: John P. R. <ro...@cs...> - 2024-06-03 17:01:45
|
Hi all: In https://jviide.iki.fi/http-redirects jviide notes that redirecting http -> https automatically for API calls is not a great idea. For regular human browser use, credentials aren't usualy sent with the first http request (it waits for a 401-Unauthorized response). However for API calls, credentials are usually supplied with the first call to the API. Jviide suggests returning a 403 (Forbidden) along with an explanation. The explanation says that the credentials should be changed, since they have been exposed in plaintext over the network. At the very least it stops repeated successful API access over the insecure path. This should reduce the number of times the credentials are exposed. It also suggests automatically voiding the credentials if a request comes in over http, but that's a whole other issue. Have a great day all and I hope you are enjoying Roundup 2.4.0beta2. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. |