Can we make HTTP 308 the default for CommonMiddleware / APPEND_SLASH?
83 views
Skip to first unread message
René Fleschenberg
Jan 11, 2019, 12:25:04 PM1/11/19
to django-d...@googlegroups.com
I am using ``APPEND_SLASH = True`` (the default) and usually use a
trailing slash in all of my URL patterns.
This works great for the most part, but some API clients send
POST-requests without the slash and then change the request method to
GET on the subsequent request. In particular, a popular API testing tool
(https://www.getpostman.com/) seems to be affected by this.
I can subclass ``CommonMiddleware`` and set ``response_redirect_class``,
no problem. However, maybe Django should just send HTTP 308 by default?
Is there any reason not to?
--
René Fleschenberg
trailing slash in all of my URL patterns.
This works great for the most part, but some API clients send
POST-requests without the slash and then change the request method to
GET on the subsequent request. In particular, a popular API testing tool
(https://www.getpostman.com/) seems to be affected by this.
I can subclass ``CommonMiddleware`` and set ``response_redirect_class``,
no problem. However, maybe Django should just send HTTP 308 by default?
Is there any reason not to?
--
René Fleschenberg
George-Cristian Bîrzan
Jan 11, 2019, 12:42:23 PM1/11/19
to django-d...@googlegroups.com
I completely agree.
Even without getting into API clients, the intent of this option is to tell everyone that the canonical URL is not that, not disrupt normal operations. The same can be said about the http->https redirect. There's no security problem here, as the data has already been sent in plain text, the only thing that I can think of is whether HSTS preload will support anything except 301.
I can, however, see a downside, mostly for API clients, but the people that use the APPEND_SLASH option obviously don't care about this aspect, which is that API clients generally don't cache 301s between sessions, so every request will have an extra hop, vs realising instantly that it's broken (because your POST doesn't work). However, this is something you should expect, after you set that option.
As a side note, this is the browser support for 308: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308#Browser_compatibility - IE on Windows 7/8.1 doesn't support it. User agent hacks are bad, but, at least as a setting that (temporarily) defaults to off this would be a huge improvement.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1aa24da3-cd05-317a-b8c1-2a76d707b935%40fleschenberg.net.
For more options, visit https://groups.google.com/d/optout.
George-Cristian Bîrzan
Tobias Wiese
Jan 12, 2019, 12:54:04 PM1/12/19
to django-d...@googlegroups.com
Hello,
On 1/11/19 6:42 PM, George-Cristian Bîrzan wrote:
> the only thing that I can think of is whether HSTS preload will
> support anything except 301.
All my pages redirect via a 308 from the http to the https version.
And most of them are HSTS preloaded. So no problem here.
--
Tobias Wiese
On 1/11/19 6:42 PM, George-Cristian Bîrzan wrote:
> the only thing that I can think of is whether HSTS preload will
> support anything except 301.
And most of them are HSTS preloaded. So no problem here.
--
Tobias Wiese
Reply all
Reply to author
Forward
0 new messages