You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our Docker setup includes an Nginx container which routes requests to the Django application via Gunicorn. Requests made over http are redirected to the https version. Our intention is to only allow https and this is why we added this redirect. However the redirect is probably not a good idea as it could happen in some situations that after the http request with sensible data (such as access tokens) the client is transparently redirected to https without even noticing. That would mean that http requests would still be made.
We need to handle http requests in a better way, most probably returning an error if the request is made inside the domain of the API, and allowing the redirect if the request is performed in the web frontend.
The text was updated successfully, but these errors were encountered:
Local development nginx config has been updated so that requests going to /api and not performed using a secure connection get a 403 response. Non-https requests made to other endpoints (outside /api) get simply redirected.
This behaviour should also be replicated in the production environment.
#9
Our Docker setup includes an Nginx container which routes requests to the Django application via Gunicorn. Requests made over http are redirected to the https version. Our intention is to only allow https and this is why we added this redirect. However the redirect is probably not a good idea as it could happen in some situations that after the http request with sensible data (such as access tokens) the client is transparently redirected to https without even noticing. That would mean that http requests would still be made.
We need to handle http requests in a better way, most probably returning an error if the request is made inside the domain of the API, and allowing the redirect if the request is performed in the web frontend.
The text was updated successfully, but these errors were encountered: