Skip to content

Add option to forbid plain http requests (where ssl-redirect is unsafe) #11391

New issue
Jump to bottom
New issue
Jump to bottom
Open
#12384
Open
Add option to forbid plain http requests (where ssl-redirect is unsafe)#11391
#12384
Labels
kind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.needs-prioritytriage/acceptedIndicates an issue or PR is ready to be actively worked on.
@awoimbee

Description

@awoimbee
awoimbee
opened on May 29, 2024

I host an API, a webapp (and much more).
I want HTTP requests to the webapp to be redirected to HTTPS -> I use ssl-redirect.
I want HTTP requests to the API to return a 4XX "http_unsupported: This endpoint is only accessible over HTTPS."

Reason:
If an API consumer misconfigures his client to use plain HTTP, he won't know about it but all his secret tokens will be sent plaintext.

See hackernews API Shouldn't Redirect HTTP to HTTPS.

Most APIs (that don't redirect to HTTPS) return a 403, npm returns a 426 with no Upgrade header.

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.needs-prioritytriage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    [SIG Network] Ingress NGINX

    • Status

      No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions