为需要 SSL/TLS 的请求发送的正确 HTTP 响应是什么 [英] What is the proper HTTP response to send for requests that require SSL/TLS

问题描述

我正在设计一个 RESTful API，其中有些调用是通过 HTTP 公开的，有些则需要 API 密钥和通过 HTTPS 加密.如果将 HTTP 请求发送到私有资源之一，我正在考虑应该发送什么响应代码.到目前为止，我唯一跳出来的是412 - Precondition Failed，但标准表明前提条件是由请求者而不是服务器强加的.

I'm designing an RESTful API where some calls are public over HTTP, and some require an API key and encryption over HTTPS. I'm deliberating on what response code should be sent if an HTTP request is sent to one of the private resources. So far the only one that jumps out at me is 412 - Precondition Failed, but the standard indicates that the precondition is imposed by the requester not the server.

是否有针对这种情况的适当响应代码，还是我只需要屈服并执行 400?

Is there an appropriate response code for this condition or do I just need to give in and do 400?

推荐答案

强制 HTTP 客户端使用 HTTPS 的最安全方法是 HTTP 严格传输安全.

The most secure way to force HTTP client to use HTTPS is HTTP Strict Transport Security.

以前一个常见的建议是断开连接，但是这个 实践已被删除，以支持 HSTS(OWASP 网站).

Previously a common suggestion was to drop the connection, but this practice has been removed in favor of HSTS (OWASP website).

这篇关于为需要 SSL/TLS 的请求发送的正确 HTTP 响应是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！