Hello all, For your information, I have created a proposal task at https://phabricator.wikimedia.org/T368344. Any insights are welcome!
Best regards, diskdance On Wednesday, May 29th, 2024 at 11:19 PM, psnbaotg <[email protected]> wrote: > I noticed an interesting post on Hacker News: > https://news.ycombinator.com/item?id=40504756 > (https://jviide.iki.fi/http-redirects) > > Basically, this article argues that for reasons, API should "fail early", > such as returning with 403 and revoking all credentials sent via plain text, > rather than redirecting all HTTP requests to HTTPS. > > In my humble opinion, this article's point make perfect sense. Because we > cannot expect an arbitrary client to follow HSTS and a simple typo can cause > serious credential leak. > > I found that all our APIs (action API, Wikimedia REST, and even Wikimedia > Enterprise) are doing redirects: > > `$ curl -I "http://en.wikipedia.org/api/rest_v1/page/title/Earth"; HTTP/1.1 > 301 Moved Permanently content-length: 0 location: > https://en.wikipedia.org/api/rest_v1/page/title/Earth server: HAProxy > x-cache: cp5023 int x-cache-status: int-tls connection: close $ curl -I > "http://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Earth"; > HTTP/1.1 301 Moved Permanently content-length: 0 location: > https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Earth > server: HAProxy x-cache: cp5023 int x-cache-status: int-tls connection: close > $ curl -I http://api.enterprise.wikimedia.com/v2/snapshots HTTP/1.1 301 Moved > Permanently Server: awselb/2.0 Date: Wed, 29 May 2024 10:03:24 GMT > Content-Type: text/html Content-Length: 134 Connection: keep-alive Location: > https://api.enterprise.wikimedia.com:443/v2/snapshots` > > I'm asking security folks, should we consider making above changes, like > those services listed in the article? Thanks you. > > Best regards, > diskdance _______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
