Don't redirect HTTP requests to the API to HTTPS
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
We should consider not redirecting from HTTP to HTTPS for requests towards GitLab.com's APIs.
Requests done with plain HTTP should be considered compromised, as an API token could be sniffed on the network during the initial HTTP call. API calls from programs don't have
the same protection features like browsers, in browsers session cookies are typically protected from
being transmitted via plain HTTP by setting the secure flag. Such mechanisms don't exist for API
requests using a token in a header or request parameter.
We might even consider revoking any access token being submitted via HTTP immediately.
FWIW both changes, not redirecting and revoking the token would pretty sure be breaking changes.
More details on the problem can be found in this blog post: https://jviide.iki.fi/http-redirects
cc @gitlab-com/gl-security/appsec cc @hsutor @adil.farrukh for groupauthentication