How to redirect API calls from HTTP to HTTPS #15

New Issue

Open

opened 2019-11-06 17:56:50 +00:00 by Ghost · 3 comments

Ghost commented 2019-11-06 17:56:50 +00:00

Copy Link

Using greenlock-express v3 to serve my website; i have an API and currently my API client (RestSharp) fails as receives an HTML with the http-equiv redirect to https....

There is some way (cannot find on docs) to make greenlock-express to send an HTTP 301 with the https location?

Thanks!

Using greenlock-express v3 to serve my website; i have an API and currently my API client (RestSharp) fails as receives an HTML with the <META> http-equiv redirect to https.... There is some way (cannot find on docs) to make greenlock-express to send an HTTP 301 with the https location? Thanks!

coolaj86 commented 2019-11-06 18:15:01 +00:00

Owner

Copy Link

Yes, but I’m on my phone so I’ll give a quick response now and follow up later:

You can, but you would be purposefully defeating the security feature that was put in exactly for this use case.

API clients SHOULD NOT follow HTTP -> HTTPs redirects.

That exposes API tokens publicly to anyone on the network.

Instead, the API client should be fixed to use HTTPS urls for HTTPS apis.

Yes, but I’m on my phone so I’ll give a quick response now and follow up later: You can, but you would be purposefully defeating the security feature that was put in exactly for this use case. API clients SHOULD NOT follow HTTP -> HTTPs redirects. That exposes API tokens publicly to anyone on the network. Instead, the API client should be fixed to use HTTPS urls for HTTPS apis.

Ghost commented 2019-11-06 18:53:20 +00:00

Author

Copy Link

My problem is, my clients should work with HTTP while i'm migrating them to https (hundreds of clients which i must manually update...)

Giving an error while the migration is in progress in NOT AN OPTION! I must continue to respond on HTTP, and also respond on HTTPS.

When all my REST clients are fully going to HTTPS and nobody uses HTTP in that specific API, then i can finally remove that "temporary redirect"

My problem is, my clients should work with HTTP while i'm migrating them to https (hundreds of clients which i must manually update...) Giving an error while the migration is in progress in NOT AN OPTION! I must continue to respond on HTTP, and also respond on HTTPS. When all my REST clients are fully going to HTTPS and nobody uses HTTP in that specific API, then i can finally remove that "temporary redirect"

coolaj86 commented 2019-11-06 18:59:41 +00:00

Owner

Copy Link

Check out the http example in the examples folder.

You can pass in your own instance of redirect-https with the meta option turned off.

Or you can write your own redirector as a normal http app.

Check out the http example in the examples folder. You can pass in your own instance of `redirect-https` with the meta option turned off. Or you can write your own redirector as a normal http app.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

v4.0.4

v4.0.3

v4.0.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.7.18

v2.7.17

v2.7.16

v2.7.15

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.6

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.9

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.4

v2.3.2

v1.3.1

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.2.0

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

Labels

No items

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: root/greenlock-express.js#15

No description provided.