• @[email protected]
    link
    fedilink
    06 months ago

    This seems like common sense, no? Return 403 or better yet reject TCP connections on port 80 entirely.

    That initial HTTP request header and body is sent in clear text, and that’s more than enough to leak credentials or other sensitive data.

    • Domi
      link
      fedilink
      06 months ago

      This seems like common sense, no?

      Hindsight is 20/20. As seen in the post, there’s not that many APIs that don’t just blindly redirect HTTP to HTTPS since it’s sort of the default web server behaviour nowadays.

      Probably a non-issue in most cases since the URLs are usually set by developers but of course mistakes happen and it absolutely makes sense to not redirect HTTP for APIs and even invalidate any token used over HTTP.