I noticed an interesting post on Hacker News: https://news.ycombinator.com/item?id=40504756 (https://jviide.iki.fi/http-redirects)
Basically, this article argues that for reasons, API should "fail early", such as returning with 403 and revoking all credentials sent via plain text, rather than redirecting all HTTP requests to HTTPS.
In my humble opinion, this article's point make perfect sense. Because we cannot expect an arbitrary client to follow HSTS and a simple typo can cause serious credential leak.
I found that all our APIs (action API, Wikimedia REST, and even Wikimedia Enterprise) are doing redirects:
``` $ curl -I "http://en.wikipedia.org/api/rest_v1/page/title/Earth" HTTP/1.1 301 Moved Permanently content-length: 0 location: https://en.wikipedia.org/api/rest_v1/page/title/Earth server: HAProxy x-cache: cp5023 int x-cache-status: int-tls connection: close
$ curl -I "http://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Eart..." HTTP/1.1 301 Moved Permanently content-length: 0 location: https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Ear... server: HAProxy x-cache: cp5023 int x-cache-status: int-tls connection: close
$ curl -I http://api.enterprise.wikimedia.com/v2/snapshots HTTP/1.1 301 Moved Permanently Server: awselb/2.0 Date: Wed, 29 May 2024 10:03:24 GMT Content-Type: text/html Content-Length: 134 Connection: keep-alive Location: https://api.enterprise.wikimedia.com:443/v2/snapshots
```
I'm asking security folks, should we consider making above changes, like those services listed in the article? Thanks you.
Best regards, diskdance