Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not redirect /api/v1/ URLs from HTTP to HTTPS #30264

Open
alexmv opened this issue May 30, 2024 · 0 comments
Open

Do not redirect /api/v1/ URLs from HTTP to HTTPS #30264

alexmv opened this issue May 30, 2024 · 0 comments
Labels
area: security Security and hardening issues. Please report vulnerabilities to [email protected].

Comments

@alexmv
Copy link
Collaborator

alexmv commented May 30, 2024

We currently do this redirect at the nginx level; we should adjust nginx to let through requests to /api/v1/ over HTTP, and add a middleware which detects those and renders a constant "The Zulip API is only accessible over HTTPS" error, potentially along with a "your API key should be considered compromised, and rotated" if the request had a valid API key.

See this blog post, CZO thread
@alexmv alexmv added the area: security Security and hardening issues. Please report vulnerabilities to [email protected]. label May 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: security Security and hardening issues. Please report vulnerabilities to [email protected].
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexmv