• Domi@lemmy.secnd.me
    link
    fedilink
    arrow-up
    21
    ·
    6 months ago

    This seems like common sense, no?

    Hindsight is 20/20. As seen in the post, there’s not that many APIs that don’t just blindly redirect HTTP to HTTPS since it’s sort of the default web server behaviour nowadays.

    Probably a non-issue in most cases since the URLs are usually set by developers but of course mistakes happen and it absolutely makes sense to not redirect HTTP for APIs and even invalidate any token used over HTTP.

    • towerful
      link
      fedilink
      arrow-up
      5
      ·
      6 months ago

      Invalidating creds sent over http is a great point!