• pivot_root@lemmy.world
    link
    fedilink
    arrow-up
    39
    ·
    7 months ago

    This seems like common sense, no? Return 403 or better yet reject TCP connections on port 80 entirely.

    That initial HTTP request header and body is sent in clear text, and that’s more than enough to leak credentials or other sensitive data.

    • Domi@lemmy.secnd.me
      link
      fedilink
      arrow-up
      21
      ·
      7 months ago

      This seems like common sense, no?

      Hindsight is 20/20. As seen in the post, there’s not that many APIs that don’t just blindly redirect HTTP to HTTPS since it’s sort of the default web server behaviour nowadays.

      Probably a non-issue in most cases since the URLs are usually set by developers but of course mistakes happen and it absolutely makes sense to not redirect HTTP for APIs and even invalidate any token used over HTTP.

      • towerful
        link
        fedilink
        arrow-up
        5
        ·
        7 months ago

        Invalidating creds sent over http is a great point!