I personally think the rather low risk is not worth the inconvinence, especially since many uses of the API are unauthenticated.<div><br></div><div>If we did it, i think we should only do it for requests that actually have credentials attached (cookie or oauth)</div><div><br></div><div>Just my 2 cents.</div><div><br></div><div>--</div><div>Brian</div><div><br>On Wednesday 29 May 2024, psnbaotg via Wikitech-l &lt;<a href="mailto:wikitech-l@lists.wikimedia.org">wikitech-l@lists.wikimedia.org</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I noticed an interesting post on Hacker News: <a href="https://news.ycombinator.com/item?id=40504756" target="_blank">https://news.ycombinator.com/<wbr>item?id=40504756</a> (<a href="https://jviide.iki.fi/http-redirects" target="_blank">https://jviide.iki.fi/http-<wbr>redirects</a>)<br>
<br>
Basically, this article argues that for reasons, API should &quot;fail early&quot;, such as returning with 403 and revoking all credentials sent via plain text, rather than redirecting all HTTP requests to HTTPS.<br>
<br>
In my humble opinion, this article&#39;s point make perfect sense. Because we cannot expect an arbitrary client to follow HSTS and a simple typo can cause serious credential leak.<br>
<br>
I found that all our APIs (action API, Wikimedia REST, and even Wikimedia Enterprise) are doing redirects:<br>
<br>
```<br>
$ curl -I &quot;<a href="http://en.wikipedia.org/api/rest_v1/page/title/Earth" target="_blank">http://en.wikipedia.org/api/<wbr>rest_v1/page/title/Earth</a>&quot;<br>
HTTP/1.1 301 Moved Permanently<br>
content-length: 0<br>
location: <a href="https://en.wikipedia.org/api/rest_v1/page/title/Earth" target="_blank">https://en.wikipedia.org/api/<wbr>rest_v1/page/title/Earth</a><br>
server: HAProxy<br>
x-cache: cp5023 int<br>
x-cache-status: int-tls<br>
connection: close<br>
<br>
$ curl -I &quot;<a href="http://en.wikipedia.org/w/api.php?action=query&amp;prop=info&amp;titles=Earth" target="_blank">http://en.wikipedia.org/w/<wbr>api.php?action=query&amp;prop=<wbr>info&amp;titles=Earth</a>&quot;<br>
HTTP/1.1 301 Moved Permanently<br>
content-length: 0<br>
location: <a href="https://en.wikipedia.org/w/api.php?action=query&amp;prop=info&amp;titles=Earth" target="_blank">https://en.wikipedia.org/w/<wbr>api.php?action=query&amp;prop=<wbr>info&amp;titles=Earth</a><br>
server: HAProxy<br>
x-cache: cp5023 int<br>
x-cache-status: int-tls<br>
connection: close<br>
<br>
$ curl -I <a href="http://api.enterprise.wikimedia.com/v2/snapshots" target="_blank">http://api.enterprise.<wbr>wikimedia.com/v2/snapshots</a><br>
HTTP/1.1 301 Moved Permanently<br>
Server: awselb/2.0<br>
Date: Wed, 29 May 2024 10:03:24 GMT<br>
Content-Type: text/html<br>
Content-Length: 134<br>
Connection: keep-alive<br>
Location: <a href="https://api.enterprise.wikimedia.com:443/v2/snapshots" target="_blank">https://api.enterprise.<wbr>wikimedia.com:443/v2/snapshots</a><br>
<br>
```<br>
<br>
I&#39;m asking security folks, should we consider making above changes, like those services listed in the article? Thanks you.<br>
<br>
Best regards,<br>
diskdance<br>
______________________________<wbr>_________________<br>
Wikitech-l mailing list -- <a href="mailto:wikitech-l@lists.wikimedia.org">wikitech-l@lists.wikimedia.org</a><br>
To unsubscribe send an email to <a href="mailto:wikitech-l-leave@lists.wikimedia.org">wikitech-l-leave@lists.<wbr>wikimedia.org</a><br>
<a href="https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/" target="_blank">https://lists.wikimedia.org/<wbr>postorius/lists/wikitech-l.<wbr>lists.wikimedia.org/</a><br>
</blockquote></div>