-
-
Notifications
You must be signed in to change notification settings - Fork 723
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement HTTP handling for TlsServer
#984
base: master
Are you sure you want to change the base?
Conversation
Hi, |
My thinking was that maybe somebody is interested in this feature without the automatic upgrade. So is this standalone feature (without upgrading) undesired? |
I'm thinking about the downside of allowing this without the "upgrade" is that using HTTP that doesn't immediately redirect to HTTPS is problematic. At my place of work, it's considered a vulnerability. If anything, it should be opt-out of upgrading, not opt in, since it makes your program significantly more insecure. |
Yeah, that sounds reasonable to me. I don't think I will even implement the opt-out, because personally I don't have a use-case, so we can do it when somebody requests it. Will look into implementing the automatic upgrade soon. |
ah good question, but What would be the use case for that?
interesting, yeah I was also wondering about that, do you have more info on the possible attack vector? Update: saw @daxpedda response, ok great! 👍 |
I don't know, I was only doing it to make the implementation easier, I can't even come up with a use-case.
I'm assuming if you set up a HTTPS server you don't actually want anybody connecting over HTTP. So if one forgets to setup the automatic upgrade, a user could potentially use the website completely over HTTP instead of over HTTPS. An attacker could use this by just sending you the HTTP link, even if you check the domain, you might not notice the scheme. |
This allows hosting a HTTP and HTTPS server on the same port. The main use-case is upgrading a connection to HTTPS automatically when connecting to e.g. "localhost:3030", as browsers connect via HTTP unless explicitly specified.
I implemented this in a way to be optional while not disturbing the default path.
This is a first step towards #417. I learned a lot since then 😅.