Remove http to https redirect in nginx container #9
Labels
Comments
ffont
added a commit
that referenced
this issue
Nov 28, 2016
Local development nginx config has been updated so that requests going to /api and not performed using a secure connection get a 403 response. Non-https requests made to other endpoints (outside /api) get simply redirected. This behaviour should also be replicated in the production environment. #9
|
Production site configuration has also been updated to return error if accessing the api using non-https connection. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Our Docker setup includes an Nginx container which routes requests to the Django application via Gunicorn. Requests made over http are redirected to the https version. Our intention is to only allow https and this is why we added this redirect. However the redirect is probably not a good idea as it could happen in some situations that after the http request with sensible data (such as access tokens) the client is transparently redirected to https without even noticing. That would mean that http requests would still be made.
We need to handle http requests in a better way, most probably returning an error if the request is made inside the domain of the API, and allowing the redirect if the request is performed in the web frontend.
The text was updated successfully, but these errors were encountered: