Re: Your API Shouldn’t Redirect HTTP to HTTPS

Published August 13, 2024

Re: https://jviide.iki.fi/http-redirects (Hacker News: https://news.ycombinator.com/item?id=40504756)

The gist is just like the title: your API shouldn’t redirect http:// to https:// but instead should do one of the following:

• Disable the HTTP interface entirely
• Return a HTTP error response with a clear message and revoke API keys sent

Reading this was a “d’oh!” moment for me, but I 100% agree. Auto upgrading or redirecting HTTP -> HTTPS requests is something that’s just became 2nd nature to me, especially with the shift of the Web going from largely-unencrypted to largely-encrypted thanks to availability of Let’s Encrypt. I still have a handful of domains that are backed by a server that I provisioned and configured manually which runs Nginx & Let’s Encrypt to handle HTTP and HTTPS connections plus renewing the TLS certificates. Not all software is running on a platform that handles it all automagically.

Some initial thoughts:

• This seems more geared to companies that operate an API as a service i.e. it’s part of what drives conversion and revenue
• It’s less applicable to an API that is used internally i.e issuing API keys to third parties isn’t really a thing
• I haven’t personally worked on a product where the API is the product so it has been less top-of-mind
• A lot of the services I’ve built all operate on the same IP i.e. the backend and the frontend aren’t really separated so something has to be bound to :80
• A common pattern on web frontend is to redirect /api to an api. subdomain
  • This is done to circumvent needing to configure CORS
  • It can also reduce deployment complexity i.e. /api is always absolute however an api. subdomain can change depending on the deployed environment
  • All this to say, when doing a pattern like this where a subpath (/api) is redirected, rewritten, or otherwise proxied to a subdomain (api.) then the same logic should be upheld: API requests shouldn’t be unencrypted

The article also enumerates a number of “well-known” APIs and which ones are compliant to this behavior, which aren’t, and a few that even fail spectacularly i.e. respond in plaintext. This prompted me to check the APIs of a few lesser-known services and unfortunately the non-compliance pattern continues.

I love hearing from readers so please feel free to reach out.

Reply via email • Subscribe via RSS or email

Last modified August 12, 2024  #re   #programming   #opinion