GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Christian Huitema (huitema@social.secret-wg.org)'s status on Saturday, 16-Aug-2025 23:08:52 JST Christian Huitema Christian Huitema

    Fascinating blog that reveals a worrying practice: https://jviide.iki.fi/http-redirects.
    Many sites exposing a service with an HTTP API can be accessed on HTTP. Sure, the server will redirect to HTTPS, but the client has already sent credentials over the HTTP connection, basically sending password-equivalent data in clear text! Consequences are easy to guess. The blog lists dozens of servers doing that, some small, several quite big!

    In conversation about 4 months ago from social.secret-wg.org permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: jviide.iki.fi
      Your API Shouldn't Redirect HTTP to HTTPS
      from @jviide.iki.fi
      Instead of redirecting API calls from HTTP to HTTPS, make the failure visible. Unfortunately, many well-known API providers don't currently do so.

    Feeds

    • Activity Streams
    • RSS 2.0
    • Atom
    • Help
    • About
    • FAQ
    • TOS
    • Privacy
    • Source
    • Version
    • Contact

    GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

    Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.