Re: Your API Shouldn’t Redirect HTTP to HTTPS
Published
Re: https://jviide.iki.fi/http-redirects (Hacker News: https://news.ycombinator.com/item?id=40504756)
The gist is just like the title: your API shouldn’t redirect http://
to https://
but instead should do one of the following:
- Disable the HTTP interface entirely
- Return a HTTP error response with a clear message and revoke API keys sent
Reading this was a “d’oh!” moment for me, but I 100% agree. Auto upgrading or redirecting HTTP -> HTTPS requests is something that’s just became 2nd nature to me, especially with the shift of the Web going from largely-unencrypted to largely-encrypted thanks to availability of Let’s Encrypt. I still have a handful of domains that are backed by a server that I provisioned and configured manually which runs Nginx & Let’s Encrypt to handle HTTP and HTTPS connections plus renewing the TLS certificates. Not all software is running on a platform that handles it all automagically.
Some initial thoughts:
- This seems more geared to companies that operate an API as a service i.e. it’s part of what drives conversion and revenue
- It’s less applicable to an API that is used internally i.e issuing API keys to third parties isn’t really a thing
- I haven’t personally worked on a product where the API is the product so it has been less top-of-mind
- A lot of the services I’ve built all operate on the same IP i.e. the backend and the frontend aren’t really separated so something has to be bound to
:80
- A common pattern on web frontend is to redirect
/api
to anapi.
subdomain- This is done to circumvent needing to configure CORS
- It can also reduce deployment complexity i.e.
/api
is always absolute however anapi.
subdomain can change depending on the deployed environment - All this to say, when doing a pattern like this where a subpath (
/api
) is redirected, rewritten, or otherwise proxied to a subdomain (api.
) then the same logic should be upheld: API requests shouldn’t be unencrypted
The article also enumerates a number of “well-known” APIs and which ones are compliant to this behavior, which aren’t, and a few that even fail spectacularly i.e. respond in plaintext. This prompted me to check the APIs of a few lesser-known services and unfortunately the non-compliance pattern continues.
I love hearing from readers so please feel free to reach out.
Reply via email • Subscribe via RSS or email
Last modified #re #programming #opinion