The IESG has approved the following document: - 'Protecting Credentials with HTTP APIs' (draft-ietf-httpapi-privacy-06.txt) as Best Current Practice
This document is the product of the Building Blocks for HTTP APIs Working Group. The IESG contact persons are Gorry Fairhurst and Mike Bishop. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-httpapi-privacy/ Technical Summary Redirecting HTTP requests to HTTPS is a common pattern for human- facing web resources. When done for authenticated HTTP API traffic, client credentials are exposed to the network. This document discusses the pitfalls of the redirect approach and makes deployment recommendations for authenticated HTTP APIs. This document records Best Current Practice. Working Group Summary The document reached broad agreement within the working group. Working Group Last Call was concluded on October 11, 2025, with no objections raised. The document received positive engagement from prominent HTTP experts throughout its development. Document Quality This is a Best Current Practice document providing guidance rather than a protocol specification. However, the recommendations build upon existing, widely-implemented technologies. There was a comprehensive and helpful shepherd write-up that helped complete this evaluation. Personnel The Document Shepherd for this document is Darrel Miller. The Responsible Area Director is Gorry Fairhurst. _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
