You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
What do you want us to build?
I would like to be able to disable HTTP to HTTPS redirects.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
An alternative might be to set the response code as proposed here: #231.
Another alternative may be to set up API Gateway or Lambdas for custom redirection, but that would incur additional complexity and cost.
Additional context
Anything else we should know?
I currently host an API that uses API keys in the header for authentication. This API is meant for non-browser web clients to consume. Therefore it makes more sense to fail fast when the HTTP protocol is used. This is because if the wrong protocol is used during testing, it can be corrected instead of failing silently and allowing the secret credentials to be leaked.
As mentioned in the reference below:
Redirecting HTTP to HTTPS for APIs can be more harmful than helpful due to the nature of APIs. Unlike user-facing web pages, APIs are primarily consumed by other software. API clients often follow redirects automatically and do not maintain state or support security headers like HSTS. This can lead to silent failures where sensitive data in each API request is initially transmitted in plaintext over the network, unencrypted.
Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
The text was updated successfully, but these errors were encountered:
Community Note
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
What do you want us to build?
I would like to be able to disable HTTP to HTTPS redirects.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
An alternative might be to set the response code as proposed here: #231.
Another alternative may be to set up API Gateway or Lambdas for custom redirection, but that would incur additional complexity and cost.
Additional context
Anything else we should know?
I currently host an API that uses API keys in the header for authentication. This API is meant for non-browser web clients to consume. Therefore it makes more sense to fail fast when the HTTP protocol is used. This is because if the wrong protocol is used during testing, it can be corrected instead of failing silently and allowing the secret credentials to be leaked.
As mentioned in the reference below:
Reference: https://jviide.iki.fi/http-redirects
Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
The text was updated successfully, but these errors were encountered: