badges / shields

Concise, consistent, and legible badges in SVG and raster format

Home Page:https://shields.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

endpoint.svg requires https for localhost

niccokunzmann opened this issue · comments

Are you experiencing an issue with...

🪲 Description

When I want to test my service to provide and endpoint,
I see a badge requiring https.
I can not offer HTTPS on localhost but I would like to test the setup with a running shields version.

🔗 Link to the badge

💡 Possible Solution

Related

Hi @niccokunzmann, thanks for reaching out and trying the new endpoint service!

The endpoint service is still in beta, and we're tracking discussions/feedback/etc. on it over in #2838. Would you mind sharing your suggestion over there?

I think adding a check for localhost would be fine. #2838 is a good place to discuss this kind of stuff, but we may as well finish this discussion while we're here!

I wonder if it makes sense at all to require HTTPS. e.g. if I just want to share a badge which is a free Heroku Dyno, I do not have HTTPS. While it is preferable, it limits experimentation. Why require this?

SSL is an industry standard and a good practice. Free dynos on Heroku do support HTTPS and as far as I know always have. What you can't use is a custom domain. 😀

Very well. Now, I understand what is written there: "Free SSL on custom domains." ^^ SSL on their domains is then always available. Okay. Point taken! So, this is only http on localhost as a problem, then, as the issue states.

I also see a potential benefit for supporting http in certain self-hosted scenarios too (especially as we've been eyeballing this internally).

Totally agreed on SSL as best practice, and also agree that requiring SSL could hinder the inner-dev loop. I can also hear some coworkers complaining about having to implement SSL for a private endpoint on our corporate network that would only be accessed by our internal self-hosted shields instance.

I remember the SSL conversation we recently had relative to Bitbucket Server support and it got me wondering if we could potentially have an SSL toggle that would require SSL in all cases. That way we could require SSL on Shields.io on all endpoints/services, but self-hosters would have the ability to turn that off if they really needed to connect to an endpoint/service over http

Yea, it does make sense that during development this could be helpful. Maybe making this configurable is better than specifically allowing unsecured requests from certain domains. It solves both use cases with less code.