For http API calls, consider returning an error rather than redirecting to https

[anyonecancode]

What would you like to discuss with us or let us know?

I was reading https://jviide.iki.fi/http-redirects, which I think makes a good argument for having http calls to an API endpoint return an error rather than redirect to https. tl;dr -- for api endpoints, these are generally not meant for browsers, and it becomes easy to accidentally leak secrets as servers will call the plain text http version first.

I saw that mastodon was listed among the servers tried that redirects rather than errors, and confirmed that hachyderm.io does too.

[Preskton]

Howdy, we are looking in to if we can apply a blanket policy on the /api route to follow the suggested behavior. Ideally, masto would implement this in the upstream codebase as well so that it's more "permanent".

[dmah42]

have we filed an upstream issue against mastodon for this?