For http API calls, consider returning an error rather than redirecting to https #530
Labels
Infra Team
Requires review / feedback / etc. with infra team
Comments
|
Howdy, we are looking in to if we can apply a blanket policy on the /api route to follow the suggested behavior. Ideally, masto would implement this in the upstream codebase as well so that it's more "permanent". |
quintessence
added
the
Infra Team
|
have we filed an upstream issue against mastodon for this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to discuss with us or let us know?
I was reading https://jviide.iki.fi/http-redirects, which I think makes a good argument for having http calls to an API endpoint return an error rather than redirect to https. tl;dr -- for api endpoints, these are generally not meant for browsers, and it becomes easy to accidentally leak secrets as servers will call the plain text http version first.
I saw that mastodon was listed among the servers tried that redirects rather than errors, and confirmed that hachyderm.io does too.
The text was updated successfully, but these errors were encountered: