Shapeshifter library should refuse unencrypted http connections (only allow https)

Question

Shapeshifter library should refuse unencrypted http connections (only allow https)

Opened this issue a year ago · 1 comments

Description

The shapeshifter library will send a flex message to any endpoint (http or https), whereas the specification states that only encrypted communication should be allowed.

Fix

We should add a check before setting up a connection, that verifies whether

the endpoint uses https; if the endpoint is http then an exception should be thrown.
the endpoint URL either contains no port, or contains port 443

Answer 1 · 2024-01-30T14:28:07.000Z

Discussed in the TSC meeting: default should be block it, but opt-in http for local development for example.
Also port doesn't say anything. Just require the 'https' scheme should be sufficient.