Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/puppet
History
joseph 291197976a NGINX: Do not redirect /api/v1/ URLs from HTTP to HTTPS. 
We currently redirect all unencrypted HTTP requests to HTTPS in NGINX.
While this is reasonable for browser-based environments, which
generally segregate HTTP and HTTPS cookies (ensuring that client
secrets are not leaked in the HTTP request), this poses an security
risk for API clients.  Specifically, an API client which is configured
to auto-follow redirects may send an API key in cleartext, and then
_silently_ follow the 301 redirect provided by NGINX, leaving the user
blind to the fact that their credentials were exposed in cleartext.

Stop redirecting unencrypted API requests, and provide clients with a
clear message alerting them to the fact that credentials were
potentially exposed.

Fixes: #30264.
 		2024-09-23 23:49:45 +00:00
..
kandra kandra: We do not serve staging from staging.zulip.com:80. 2024-09-09 15:17:19 -07:00
zulip NGINX: Do not redirect /api/v1/ URLs from HTTP to HTTPS. 2024-09-23 23:49:45 +00:00
deps.yaml puppet: Update dependencies. 2023-05-11 10:51:37 -07:00