Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirect root URL from HTTP to HTTPS when root path is API backend #457

Closed
GUI opened this issue Aug 11, 2018 · 1 comment
Closed

Redirect root URL from HTTP to HTTPS when root path is API backend #457

GUI opened this issue Aug 11, 2018 · 1 comment
Assignees
@GUI
Labels
api-umbrella-v0.15.1

Comments

@GUI
Copy link
Member

GUI commented Aug 11, 2018

  • If an agency has a website backend setup, then all website content gets redirected from HTTP to HTTPS (eg, http://developer.nrel.gov/ redirects to https://developer.nrel.gov/).
  • Similarly, if neither a website backend or API backend is setup to route the root URL, then we redirect the 404 not found page from HTTP to HTTPS.
  • However, in cases where the agency has an API backend setup to route the root URL path (/), then any HTTP requests by default return a 400 HTTP error (see HTTPS by default #34, but basically for API requests we've avoided returning redirects, since API clients may not follow those).

In this last case where the root URL is being treated as an API request, we've had a couple agencies request that the root / URL perform a 301 redirect from HTTP to HTTPS (instead of the 400 HTTP response) to simplify compliance and scanning results (since automated scanning tools that check the root URL may not consider the 400 HTTP response as enforcing HTTPS). In all of these cases, there's not actually an API that lives directly at the root / path, so performing a redirect for only the root path should be relatively safe. Sub-paths besides the root URL will still return a 400 error for HTTP requests (since we do still want to avoid redirects on other API endpoints for legacy purposes), so this change would only affect the root URL behavior.
@GUI GUI self-assigned this Aug 11, 2018
@GUI
Copy link
Member Author

GUI commented Aug 11, 2018

This change is now deployed (NREL/api-umbrella@8be3da1, https://github.com/18F/api.data.gov-ops/commit/988ca03232fbb91f8022a4f29c8497c23525c16c)

Here's an example showing the redirect for root URLs, but still retaining the 400 error response for sub-paths that might be to an actual API:

$ curl -i 'http://api.fda.gov/'
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Sat, 11 Aug 2018 22:36:48 GMT
Content-Type: text/html
Content-Length: 182
Connection: keep-alive
Location: https://api.fda.gov/
X-Cache: MISS
Strict-Transport-Security: max-age=31536000; preload

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty</center>
</body>
</html>


$ curl -i 'http://api.fda.gov/foo'
HTTP/1.1 400 Bad Request
Server: openresty
Date: Sat, 11 Aug 2018 22:37:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
X-Cache: MISS
Strict-Transport-Security: max-age=31536000; preload

{
  "error": {
    "code": "HTTPS_REQUIRED",
    "message": "Requests must be made over HTTPS. Try accessing the API at: https://api.fda.gov/foo"
  }
}

@GUI GUI closed this as completed Aug 11, 2018
@GUI GUI mentioned this issue Aug 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GUI GUI

Labels
api-umbrella-v0.15.1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GUI