发表新帖
发表新帖

What is the proper HTTP response to send for requests that require SSL/TLS

后端 未结
关注
5 1536
长情又很酷
长情又很酷 2020-12-03 16:38

I\'m designing an RESTful API where some calls are public over HTTP, and some require an API key and encryption over HTTPS. I\'m deliberating on what response code should b

相关标签:
5条回答
  • 深忆病人
    2020-12-03 17:05

    The appropriate error code to return would be similar to 403.4 - SSL required.

    Although not explicitly documented in the RFC for HTTP 1.1, this behavior does match the requirements outlined there:

    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

    Adding your own subcode (as with the SSL example) might be helpful in some cases, but since this subcode would not be meaningful to third parties, I would recommend against it.

    So, your final error message would be something like "403 - Private Resource". Note that, even in the case of a missing API key, "401 - Unauthorized" should not be used, unless your API key can actually be transmitted in a WWW-Authenticate header field.

    0 讨论(0)
  • 借酒劲吻你
    2020-12-03 17:05

    Returning a 403 with reason phrase "HTTPS Required" seems like a practical option and what I use.

    see https://en.wikipedia.org/wiki/HTTP_403

    Redirecting a REST Api is not a good idea especially as you may have no idea as to how or what is consuming your service.

    0 讨论(0)
  • 难免孤独
    2020-12-03 17:07

    I cannot say if this is broadly accepted by HTTP clients, but speaking strictly RFC, the server should respond with:

    HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.0, HTTP/1.1
Connection: Upgrade

    Source:
    http://tools.ietf.org/html/rfc2817#section-4.2

    0 讨论(0)
  • Happy的楠姐
    2020-12-03 17:11

    Just send a redirect to the corresponding https: URI.

    UPDATE

    The is a wrong answer - see comments below

    0 讨论(0)
  • 灰色年华
    2020-12-03 17:23

    The most secure way to force HTTP client to use HTTPS is HTTP Strict Transport Security.

    Previously a common suggestion was to drop the connection, but this practice has been removed in favor of HSTS (OWASP website).

    0 讨论(0)
 看不清?
提交回复
热议问题