API Shouldn't Redirect HTTP to HTTPS

The Stack Exchange API used to revoke API keys sent over HTTP (and return an error message), which is my favorite way to handle this.

Great article! We&#x27;ve updated the OpenAI API to 403 on HTTP requests instead of redirecting.<p><pre><code> $ curl http:&#x2F;&#x2F;api.openai.com&#x2F;v1&#x2F;chat&#x2F;completions \ -H &quot;Content-Type: application&#x2F;json&quot; \ -H &quot;Authorization: Bearer 123&quot; \ -d &#x27;{}&#x27; { &quot;error&quot;: { &quot;type&quot;: &quot;invalid_request_error&quot;, &quot;code&quot;: &quot;http_unsupported&quot;, &quot;message&quot;: &quot;The OpenAI API is only accessible over HTTPS. Ensure the URL starts with &#x27;https:&#x2F;&#x2F;&#x27; and not &#x27;http:&#x2F;&#x2F;&#x27;.&quot;, &quot;param&quot;: null } }</code></pre>

I appreciate the author calling this out because creating an HTTP-redirect-to-HTTPS is something I&#x27;ll do almost without thinking about it. &quot;If it has HTTPS, I&#x27;ll set up an HTTP redirect.&quot; Now I know that I need to think about it before setting that up.<p>It also made me realize that cURL&#x27;s default to not redirect automatically is probably intentional and is a good default. Praise be to Daniel Stenberg for this choice when implementing cURL.

The author includes a surprising response from &quot;Provider B&quot; to the HackerOne report.<p>&gt; <i>Provider B: Reported on 2024-05-21 through their HackerOne program. Got a prompt triage response, stating that attacks requiring MITM (or physical access to a user&#x27;s device) are outside the scope of the program. Sent back a response explaining that MITM or physical access was not required for sniffing. Awaiting response.</i><p>I think Provider B morally should require HTTPS, but it really surprises me that the author would say &quot;MITM or physical access is not required for sniffing.&quot;<p>Is that true? Isn&#x27;t HTTP sniffing an example of a MITM attack, by definition? Am I using the words &quot;MITM&quot; or &quot;sniffing&quot; differently from the author?<p>I&#x27;m familiar with the following attacks, all of which I&#x27;d call &quot;MITM&quot;:<p>1. Public unencrypted (or weakly WEP encrypted) wifi, with clients connecting to HTTP websites. Other clients on the same wifi network can read the unencrypted HTTP packets over the air.<p>2. Public encrypted wifi, where the attacker controls the wifi network (or runs a proxy wifi with the same&#x2F;similar SSID,) tricking the client into connecting to the attacker over non-TLS HTTP.<p>3. ISP-level attacks where the ISP reads the packets between you and the HTTP website.<p>Aren&#x27;t all of these MITM attacks, or at the very least &quot;physical access&quot; attacks? How could anyone possibly perform HTTP sniffing without MITM or physical access??

As a non-developer, ordinary computer user &quot;providing service&quot; for one user (yours truly) it&#x27;s easy for me to configure the TLS forward proxy listening on the loopback to send _all_ HTTP requests, from _any_ application, including ones sent to port 80, via HTTPS. This I find preferable to letting a browser try to convert HTTP to HTTPS, e.g., &quot;HTTPS Everywhere&quot;, or letting a developer do it with a redirect. Personally, I compile clients without linking to a TLS library. They are smaller without it and I do not have to worry about every author having correctly added TLS support. When SSL&#x2F;TLS changes, applications using it often need to be updated, and some authors have made mistakes, socat being one example that comes to mind. I do 100% of TLS negotiation using a single program: the proxy. Every HTTP request on the home network goes to the proxy.

HTTPS and SVCB DNS records will hopefully make it more feasible over time to drop the traditional HTTP server-side redirect. The client agent will be able to read the DNS record and upgrade to the highest available protocol prior to sending the first request.

Revoking an API key upon a single http request assumes you have a competent team. Have worked with people that have committed sensitive credentials into public repositories, used PRODUCTION secrets for testing, and of course sharing secrets in plain text over IM and group chats.<p>The number of times I have had to deal with password or secret key resets because of this is way too high. I remember working with a guy that thought sharing a demo of an internal application on YouTube was okay. Of course it had snippets of company secrets and development API keys clearly visible in the demo.

I hope that providers whose APIs responded and interacted fully over unencrypted HTTP would go back to their historical access logs and check how widespread using plaintext HTTP is. If they don&#x27;t have access logs for their API then they could just sample next 24 hours for API accesses.<p>Popular providers have so many API users today that even a rare mistake could expose quite many users in absolute numbers. Would rather have providers to check this out rather than have this poor practice abused by the next DNS hijacking malware affecting home routers.

My personal website (darigo.su) doesn&#x27;t have HTTPS. I just deployed it a few months ago and haven&#x27;t really done much with it yet. I guess I&#x27;ll have to get around to it eventually, but I find charm in small old sites that haven&#x27;t implemented modern protocol stuff. My site also uses &lt;font&gt; and &lt;center&gt; tags all over the place.<p>Maybe I&#x27;ll do some more quirky anachronisms, like only serve the site via HTTP 1.0 or something. Who knows. Since my site has very little functionality, it doesn&#x27;t really matter, it&#x27;s just for fun.

Interesting - I hadn&#x27;t considered this before, but makes perfect sense. Feels like it&#x27;s something that&#x27;s easy to miss, as lots of APIs are hosted behind generic web application firewalls that often have automatic HTTPS redirection as a base rule.

npm is misusing 426 Upgrade Required.<p><a href="https:&#x2F;&#x2F;httpwg.org&#x2F;specs&#x2F;rfc9110.html#status.426" rel="nofollow">https:&#x2F;&#x2F;httpwg.org&#x2F;specs&#x2F;rfc9110.html#status.426</a>:<p>&gt; <i>The server MUST send an Upgrade header field in a 426 response to indicate the required protocol(s) (Section 7.8).</i><p><a href="https:&#x2F;&#x2F;httpwg.org&#x2F;specs&#x2F;rfc9110.html#field.upgrade" rel="nofollow">https:&#x2F;&#x2F;httpwg.org&#x2F;specs&#x2F;rfc9110.html#field.upgrade</a>:<p>&gt; <i>The Upgrade header field only applies to switching protocols on top of the existing connection; it cannot be used to switch the underlying connection (transport) protocol, nor to switch the existing communication to a different connection. For those purposes, it is more appropriate to use a 3xx (Redirection) response (Section 15.4).</i><p>If you’re going to talk cleartext HTTP and issue a client error rather than redirecting, 403 Forbidden or 410 Gone are the two most clearly correct codes to use.<p>Ignoring the mandated semantics and requirements of status codes is sadly not as rare as it should be. A few I’ve encountered more than once or twice: 401 Unauthorized without using WWW-Authenticate and Authorization; 405 Method Not Allowed without providing Allow; 412 Precondition Failed for <i>business logic</i> preconditions rather than <i>HTTP</i> preconditions; 417 Expectation Failed for something other than an Expect header. I think it only ever really happens with 4xx client errors.

I fully support this and have always pushed for this. One because it becomes a huge mess to maintain over time but also because it long term will lower traffic through the LB.<p>Unfortunately what i see happen all the time is quick fixes are pushed to the infra. For example they deploy and typo the URL. Now we have a prod outage and infra is pulled in to fix this asap. No time to wait for that 10 minute deploy pipeline that requires all the tests to run and a deploy to dev.<p>This happens once and then infra is asked why we don’t already redirect all URLs. Management doesn’t care about security and they just lost money. Guess what you are doing now. This is the world we live in.

I agree that APIs shouldn&#x27;t automatically redirect HTTP to HTTPS, but I also think that client libraries shouldn&#x27;t follow redirects by default.

Completely agree, and arguably why stop at API servers?<p>Depending on server-side HTTP -&gt; HTTPS redirects for security reinforces&#x2F;rewards bad practices (linking to HTTP, users directly entering HTTP etc.), in a way that makes users vulnerable to one of the few remaining attack vectors of &quot;scary public Wi-Fis&quot;.

Yes, great article. And now can we convince folks with http+https websites to shut down http access and only offer https. I&#x27;ve seen simple mistakes like only partial redirects happening. Large numbers of internal links that still go to the http site, and some of those not redirect, etc. (you would think they are simple to find and just clean up), etc. And it is frustrating when sites like some online forums may be interesting targets for password theft.

I do redirect APIs to HTTPS, but I&#x27;d prefer not to. There&#x27;s a simple reason - My APIs are hosted on the same IP as the public website, behind the same load balancer, so something has to be on the HTTP port. I would prefer to separate them, and my larger customers do - But for smaller customers, it&#x27;s an unnecessary added expense and complication that doesn&#x27;t make sense.

This makes sense, and I wondered for a moment why I hadn&#x27;t noticed the issue in any of our projects. I realized it&#x27;s because we just don&#x27;t expose HTTP in the first place, whether for API or UI purposes. However, that doesn&#x27;t mean there&#x27;s no danger.<p>I believe it&#x27;s still possible for a client to leak its credentials if it makes a bare HTTP&#x2F;1 call to an actual HTTPS endpoint. The server only gets a chance to reject its invalid TLS handshake after it&#x27;s already sent headers that may contain sensitive information. After all, the TCP negotiation did go through, and the first layer 7 packet is the bare HTTP headers.<p>Of course the port numbers should help here, but that&#x27;s not guaranteed in an environment where port numbers are assigned dynamically and rely on service discovery.<p>Serving exclusively HTTP&#x2F;3 should close this gap but requires all clients to be ready for that. I know many internal deployments do this, but it&#x27;s not a universal solution yet.

After all this chatter, I am considering blocking all outgoing traffic to port 80 in my local firewall<p>This would prevent my fat fingers from ever even making the mistake.<p>BLOCK outgoing port 80<p>How bad would that be? Would I be shooting myself in the foot somehow?<p>Perhaps I would do it on the egress rule for where my requesting service is running like in ECS.

I&#x27;ve stopped opening port 80 at all for some of my web services. The parent domain is in the HSTS preload list, so no modern browser should ever be trying to connect to port 80. And (as the fine article intimates) API calls shouldn&#x27;t be available on port 80 <i>anyway</i>.

&gt; Servers can now send HSTS along with the initial HTTP-to-HTTPS redirection response<p>&gt; Node.js&#x27;s built-in fetch happily and quietly followed those redirects to the HTTPS endpoint.<p>Okay.. does nodejs fetch respect HSTS?

It would be great to not listen on tcp&#x2F;80 for your API, except that acme http-01 uses tcp&#x2F;80 explicitly for domain validation. So in order to get https, you open http.<p>Sure, there is dns-01 and tls-alpn-01 but I presume that majority uses http-01 and migrating it is not a trivial matter.

If you are paying the cost of a TLS handshake, which you will have to anyway, why not just use client certificates to authenticate (mTLS) instead of hand rolled and rudimentary auth tokens on top. gRPC has built-in support for mTLS and it could be a good time to modernize your endpoints if you are looking to invest time to improve your API security.

Maybe shttp would have been better than https to reduce typo errors or maybe even something completely different from http.

There is a limited number of cases, where unencrypted http is still applicable, e.g. verifiable packages. In general though, it feels wrong even to think about putting such a glaring useless hole.

I think a good approach would be for developers to always use a custom HTTPClient class which throws an error if HTTP is used. I.e. you MUST opt in to use HTTP.

You can’t make this decision until you know how many customers are on http and how lucrative they are .<p>Breaking an API because you read a blog post is a bad idea

If you want to implement this in a AWS&#x2F;ALB (Load Balancer) setup, you have to:<p>- Remove the ALB&#x27;s HTTP listener<p>- Remove port 80 from the ALB&#x27;s security group

That&#x27;s an excellent point, and definitely something I&#x27;ve done without thinking about it. I&#x27;m going to stop, and disable those. Thanks!

https is great, and I&#x27;m glad most web traffic uses it. However, sometimes you <i>want</i> http.<p>Example: when teaching low-level socket programming, plain http is the easiest place to start.<p>Example: when providing simple, nonsensitive, read-only info via API, the overhead of https and certificate management seems unnecessary.

Now that I think about it, interfaces such as Js fetch should make it an error to use http without explicitly allowing in an option.<p>It seems to easy to make an error and end up in a situation like the post explains.

Hard to argue against this.

&gt; and revoke API keys sent over the unencrypted connection.<p>Excuse me, short question:<p>If I am not offering a non-TLS endpoint in the first place, and the client, for some reason, decides to take something that is literally called &quot;SECRET&quot;, and decides to shout it across the open internet unencrypted...<p>...how is that my problem again?<p>Why should my setup be more complex than it needs to be, to make up for an obvious mistake made by the client?

Headline reads like a hot take. Actual recommendation is rather useful. Click-bait used for good.

Makes sense.

I think that it would be better to allow both as much as possible. One way to handle authentication is to use HMAC; you can do that even without needing TLS (and HMAC won&#x27;t leak the keys if one of the systems (e.g. a reverse proxy or something else) is compromised).<p>If you do not want to do that, then don&#x27;t accept connections on port 80, at least when version 6 internet is being used. (For version 4 internet, it is possible that you might use the same IP address for domain names that do want to accept connections on port 80, so you cannot easily block them in such a case.)<p>And, if you want to avoid compromising authentication data, then TLS is not good enough anyways. The client will need to know that the server certificates have not been compromised. HMAC will avoid that problem, even without TLS.<p>There is also the payload data. TLS will encrypt that, but the URL will be unencrypted if TLS is not used, whether or not the API key is revoked; the URL and headers may contain stuff other than API keys.<p>Some APIs also might not need keys; e.g. read-only functions for public data often should not need any kind of API keys (and should not have mandatory TLS either, although allowing optional TLS is helpful, since it does provide some security, even though it doesn&#x27;t solve everything).<p>HSTS is even worse.<p>TLS prevents spies from reading and tampering with your messages, but does not prevent the server from doing so (although in this case it might be unimportant, depending on the specific file being accessed). It also is complicated and wastes energy, and there are sometimes security vulnerabilities in some implementations so does not necessarily improve security.<p>Of course, these ideas will not, by itself, improve security, and neither will TLS; their combination also won&#x27;t do. You will have to be more careful to actually improve security properly. Some people think that, if you add TLS and HTTPS, and insist on using it, then it is secure. Well, it is very wrong!!! TLS will improve security in some ways as described in the previous paragraph, but does not solve everything.<p>It is also problematic if a client does not have an option to disable TLS (or use unencrypted proxies), since if you deliberately want to do MITM on your own computer, you will then have to effectively decrypt and encrypt the data twice. (If the client uses TLS by default, that would work, although if it is according to the URL then it might be by the configurable URL instead; however, the URLs do not always come from the configuration file, and even if it does, and if you want to avoid typographical errors (although even if &quot;https&quot; is specified, typographical errors are still possible (e.g. in the domain name), so just checking for &quot;https&quot; won&#x27;t even necessarily help anyways; specifying what certificates to expect might sometimes help), then you might have your program to display a warning message, perhaps.) Another problem is if the client and server require different versions of TLS and it is difficult to change the software (there are reasons you might want to change only some parts of it, and that can be difficult); using a local unencrypted proxy which connects to the server using TLS, can also avoid problems like this, too.

&quot;This unencrypted part of the communication flow has its flaws. Third parties in shared networks, as well as network intermediaries, could sniff passwords and other secrets from the initial HTTP traffic or even impersonate the web server with a MITM attack.&quot;<p>A strawman fallacy.

Don&#x27;t have HTTP available at all

Nothing should redirect ever. However, it happens.

Or just add your domain to the hsts preload list and never have to worry about this.

Or better: actually provide the API on HTTP and HTTPS if your use case allows it (ie, non-commercial&#x2F;institutional, just something for human people).

Sort of off-topic. What is a recommended way to sell access to a one-off data API? Low code method to control access and facilitate payment?