https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
We could use this as a heuristic here:
|
notSecure := r.TLS == nil |
|
|
|
if notSecure && !mount.allowInsecureHTTP { // important that this is done before stripPrefix |
|
redirectHTTPToHTTPS(w, r) // come back when you have TLS, bro |
Counter-argument: this allows downgrade attacks by a MITM attacker removing the header
Further analysis required
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
We could use this as a heuristic here:
edgerouter/pkg/erserver/serve.go
Lines 141 to 144 in af2531a
Counter-argument: this allows downgrade attacks by a MITM attacker removing the header
Further analysis required