MikeBishop
commented
3 weeks ago (Note that a new status code would probably not be informational, and might belong in a separate draft.)
Open MikeBishop opened 3 weeks ago
MikeBishop
commented
3 weeks ago (Note that a new status code would probably not be informational, and might belong in a separate draft.)
richsalz
commented
3 weeks ago I think we should use 403 and not define a new status code. One reason is we want this to be adopted quickly.
jviide
commented
3 weeks ago I think 403 is a good option. Its defined semantics can be understood to include the "I won't serve HTTP" scenario. 426 would have been my favorite if not for RFC 9110 stating:
the server MUST send an Upgrade header field
and
The Upgrade header field only applies to switching protocols on top of the existing connection; it cannot be used to switch the underlying connection (transport) protocol, nor to switch the existing communication to a different connection.
jviide
commented
3 weeks ago A side note: I don't know if this is an appropriate for this specific document, but how about to explicitly recommending attaching an informational error message along with the 403/426/421/... error? Pre-existing status codes may to have multiple meanings, so a developer accidentally using HTTP instead of HTTPS might confuse the response to mean that the credentials are wrong. As an example, Stripe returns status code 403 with the following response payload that nudges the developer towards a correct solution:
{
"error": {
"message" : "The Stripe API is only accessible over HTTPS. Please see <https://stripe.com/docs> for more information.",
"type": "invalid_request_error"
}
}Anthropic also recommends revoking the API key manually (with status 400), which is one approach for cases where auto-revocation is not a viable option:
{
"error": {
"type": "invalid_request_error",
"message": "This request was sent over HTTP. Only HTTPS is supported for API use. Consider revoking your API key, as it was sent in plaintext over the internet with this request."
}
}Of course different services format their errors differently, so it might be hard to suggest something overly specific.
richsalz
commented
3 weeks ago I think having a SHOULD about detailed error response, and a sample or two is a great idea!
MikeBishop
commented
3 weeks ago So long as the 400 please-revoke path gets sent regardless of the credential. Otherwise, that offers an explicit unencrypted signal that a valid credential was used. I'd prefer to keep the current advice that the response should not vary based on whether the credential used was valid or not.
jviide
commented
3 weeks ago I agree. The same message should be sent whether the credentials are valid or not.
Maybe there could be an explicit recommendation to not check credential validity at all on the plaintext HTTP side of the API. That could also help avoid timing differences in addition to accidental message differences and such between valid and non-valid credentials.
Acconut
commented
3 weeks ago I agree with the points that were already brought up. 403 is a good choice, unless there is a use for a generic client/intermediary to detect such error responses. But I don't think there is a need for this.
The response should include a descriptive message in the body, but the server must not validate or further inspect the provided credentials.
Discussion in Notes indicates that 403, while unintuitive, appears to be the closest HTTP status code for "I won't serve this over an unencrypted channel." For reference:
Should we recommend one of these, mint a new status code, or stay silent on the topic?