For consideration: use ssl, set default strictSSL and do not follow redirects

[jrgm]

For consideration, but shouldn't this service not be plaintext?

[jrgm]

Or, I guess, in development, running without TLS is easier. But this service cannot be configured to use TLS - https://github.com/mozilla-services/ip-reputation-js-client/blob/master/lib/client.js#L31.

followRedirect can be disabled by default, and strictSSL can be conditioned on the scheme used (http vs. https).

[g-k]

So the options could be:

• add a required secure/https flag with options true|false
• don't require a port option and have it default to 80 or 443 based on the https flag
• followRedirect always false
• strictSSL true when https is true

Alternatively, just pass through a service url to request and infer strictSSL from the scheme e.g.

https://tigerblood.stage.mozaws.net/ -> {uri: "https://tigerblood.stage.mozaws.net/", followRedirect: false, strictSSL: true}

http://127.0.0.1:8080/ -> {uri: "http://127.0.0.1:8080/", followRedirect: false, strictSSL: false}