endpoint.svg requires https for localhost

[niccokunzmann]

Are you experiencing an issue with...

• shields.io
• My own instance
• gh-badges NPM package

🪲 Description

When I want to test my service to provide and endpoint,
I see a badge requiring https.
I can not offer HTTPS on localhost but I would like to test the setup with a running shields version.

🔗 Link to the badge

💡 Possible Solution

Related

• The code could test for localhost before requiring https: code
• comment about https by @calebcartwright

[calebcartwright]

Hi @niccokunzmann, thanks for reaching out and trying the new endpoint service!

The endpoint service is still in beta, and we're tracking discussions/feedback/etc. on it over in #2838. Would you mind sharing your suggestion over there?

[paulmelnikow]

I think adding a check for localhost would be fine. #2838 is a good place to discuss this kind of stuff, but we may as well finish this discussion while we're here!

[niccokunzmann]

I wonder if it makes sense at all to require HTTPS. e.g. if I just want to share a badge which is a free Heroku Dyno, I do not have HTTPS. While it is preferable, it limits experimentation. Why require this?

[paulmelnikow]

SSL is an industry standard and a good practice. Free dynos on Heroku do support HTTPS and as far as I know always have. What you can't use is a custom domain. 😀

[niccokunzmann]

Very well. Now, I understand what is written there: "Free SSL on custom domains." ^^ SSL on their domains is then always available. Okay. Point taken! So, this is only http on localhost as a problem, then, as the issue states.

[calebcartwright]

I also see a potential benefit for supporting http in certain self-hosted scenarios too (especially as we've been eyeballing this internally).

Totally agreed on SSL as best practice, and also agree that requiring SSL could hinder the inner-dev loop. I can also hear some coworkers complaining about having to implement SSL for a private endpoint on our corporate network that would only be accessed by our internal self-hosted shields instance.

I remember the SSL conversation we recently had relative to Bitbucket Server support and it got me wondering if we could potentially have an SSL toggle that would require SSL in all cases. That way we could require SSL on Shields.io on all endpoints/services, but self-hosters would have the ability to turn that off if they really needed to connect to an endpoint/service over http

[paulmelnikow]

Yea, it does make sense that during development this could be helpful. Maybe making this configurable is better than specifically allowing unsecured requests from certain domains. It solves both use cases with less code.