I personally think the rather low risk is not worth the inconvinence, especially since many uses of the API are unauthenticated.
If we did it, i think we should only do it for requests that actually have credentials attached (cookie or oauth)
Just my 2 cents.
-- Brian
On Wednesday 29 May 2024, psnbaotg via Wikitech-l < wikitech-l@lists.wikimedia.org> wrote:
I noticed an interesting post on Hacker News: https://news.ycombinator.com/item?id=40504756 (https://jviide.iki.fi/http- redirects)
Basically, this article argues that for reasons, API should "fail early", such as returning with 403 and revoking all credentials sent via plain text, rather than redirecting all HTTP requests to HTTPS.
In my humble opinion, this article's point make perfect sense. Because we cannot expect an arbitrary client to follow HSTS and a simple typo can cause serious credential leak.
I found that all our APIs (action API, Wikimedia REST, and even Wikimedia Enterprise) are doing redirects:
$ curl -I "http://en.wikipedia.org/api/rest_v1/page/title/Earth" HTTP/1.1 301 Moved Permanently content-length: 0 location: https://en.wikipedia.org/api/rest_v1/page/title/Earth server: HAProxy x-cache: cp5023 int x-cache-status: int-tls connection: close $ curl -I "http://en.wikipedia.org/w/api.php?action=query&prop= info&titles=Earth" HTTP/1.1 301 Moved Permanently content-length: 0 location: https://en.wikipedia.org/w/api.php?action=query&prop= info&titles=Earth server: HAProxy x-cache: cp5023 int x-cache-status: int-tls connection: close $ curl -I http://api.enterprise.wikimedia.com/v2/snapshots HTTP/1.1 301 Moved Permanently Server: awselb/2.0 Date: Wed, 29 May 2024 10:03:24 GMT Content-Type: text/html Content-Length: 134 Connection: keep-alive Location: https://api.enterprise.wikimedia.com:443/v2/snapshotsI'm asking security folks, should we consider making above changes, like those services listed in the article? Thanks you.
Best regards, diskdance _______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-leave@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l. lists.wikimedia.org/