@@ -27,10 +27,10 @@ author:
2727 -
2828 fullname : Mike Bishop
2929 organization : Akamai Technologies
30- email : mbishop@akamai.com
30+ email : mbishop@evequefou.be
3131 -
3232 fullname : Marius Kleidl
33- organization : TODO
33+ organization : Transloadit
34343535
3636normative :
@@ -199,57 +199,6 @@ This document has no IANA actions.
199199--- back
200200
201201# Acknowledgments
202+ {:numbered="false"}
202203
203204We are grateful to Joachim Viide for his {{BLOG}} blog posting that brought up the issue.
204-
205- # Notes
206-
207- I don't disagree with the thrust of the article, but I take a different
208- message from it. It's not that the redirect is bad; the redirect is beside
209- the point.
210-
211- An unencrypted authenticated request should, in general, not succeed. It
212- should at a minimum fail and ideally revoke the just-disclosed credentials.
213-
214- The redirect is bad in this case because the subsequent request succeeded.
215- Returning a 200 over HTTP would be just as bad.
216-
217- Browsers warn if you enter a password field on a form that sends to http.
218- Api clients don't, and many API's have an API key in the link or as a header field.
219-
220- # # From some email
221-
222- I chose to explicitly address redirects in particular, as they seem to be the
223- status quo that most APIs implement, probably due to redirects being the
224- standard operating procedure" in webdev lore. Redirects are also often the
225- simplest option due to server software like Caddy supporting them out of the
226- box.
227-
228- Ben Bucksch had good points. Failing unencrypted requests (or connection
229- attempts) is a relatively low hanging fruit for improving the aforementioned
230- status quo. Then at least accidental plain HTTP use can be noticed easily and
231- fixed early, reducing the window of opportunity for attacks. API providers
232- can also implement failures first and then move on to the more complex topic
233- of token auto-revocation. Anthropic chose an interesting approach : their API
234- now returns an error that also suggests rotating the API keys manually. I
235- think its a good quick improvement, informing the API consumer of a
236- recommended path forward.
237-
238- As for using the HTTP status code 426, I almost implemented that for our API
239- when I noticed that NPM uses it. However,
240- https://httpwg.org/specs/rfc9110.html#status.426 states:
241-
242- " the server MUST send an Upgrade header field"
243-
244- Later in section 7.8 (https://httpwg.org/specs/rfc9110.html#rfc.section.7.8):
245-
246- The Upgrade header field only applies to switching protocols on top of the
247- existing connection; it cannot be used to switch the underlying connection
248- (transport) protocol, nor to switch the existing communication to a
249- different connection.
250-
251- As the switch from HTTP to HTTPS would require a new connection, I felt that
252- it was not a perfect match. Thats why I ended up emulating Stripe with status
253- code 403, which "indicates that the server understood the request but refuses
254- to fulfill it." A bit more open-ended, but not a perfect match either.
255-
0 commit comments