为需要SSL / TLS的请求发送的正确HTTP响应是什么 [英] What is the proper HTTP response to send for requests that require SSL/TLS
问题描述
我正在设计一个RESTful API,其中一些调用是通过HTTP公开的,有些需要API密钥和HTTPS加密。如果HTTP请求被发送到其中一个私有资源,我正在考虑应该发送什么响应代码。到目前为止,唯一突然出现的是 412 - 前提条件失败,但标准表明前提是由请求者而不是服务器施加的。
I'm designing an RESTful API where some calls are public over HTTP, and some require an API key and encryption over HTTPS. I'm deliberating on what response code should be sent if an HTTP request is sent to one of the private resources. So far the only one that jumps out at me is 412 - Precondition Failed, but the standard indicates that the precondition is imposed by the requester not the server.
对于这种情况是否有适当的响应代码,或者我只需要放弃并执行 400 ?
Is there an appropriate response code for this condition or do I just need to give in and do 400?
推荐答案
强制HTTP客户端使用HTTPS的最安全方法是 HTTP严格传输安全。
The most secure way to force HTTP client to use HTTPS is HTTP Strict Transport Security.
以前常见的建议是放弃连接,但是这个已删除练习以支持HSTS (OWASP网站)。
Previously a common suggestion was to drop the connection, but this practice has been removed in favor of HSTS (OWASP website).
这篇关于为需要SSL / TLS的请求发送的正确HTTP响应是什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
