search

hachyderm / community

Hachyderm Community Resources
https://community.hachyderm.io
Creative Commons Attribution Share Alike 4.0 International
481 stars 53 forks source link

For http API calls, consider returning an error rather than redirecting to https #530

Open anyonecancode opened 4 months ago

anyonecancode commented 4 months ago

What would you like to discuss with us or let us know?

I was reading https://jviide.iki.fi/http-redirects, which I think makes a good argument for having http calls to an API endpoint return an error rather than redirect to https. tl;dr -- for api endpoints, these are generally not meant for browsers, and it becomes easy to accidentally leak secrets as servers will call the plain text http version first.

I saw that mastodon was listed among the servers tried that redirects rather than errors, and confirmed that hachyderm.io does too.

Preskton commented 3 months ago

Howdy, we are looking in to if we can apply a blanket policy on the /api route to follow the suggested behavior. Ideally, masto would implement this in the upstream codebase as well so that it's more "permanent".

dmah42 commented 1 month ago

have we filed an upstream issue against mastodon for this?