{"id":199,"date":"2016-01-28T22:14:53","date_gmt":"2016-01-28T22:14:53","guid":{"rendered":"http:\/\/blog.mozilla.org\/tanvi\/?p=199"},"modified":"2022-07-14T20:59:30","modified_gmt":"2022-07-14T20:59:30","slug":"no-more-passwords-over-http-please","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/","title":{"rendered":"No More Passwords over HTTP, Please!"},"content":{"rendered":"<p><strong>Update: This feature is now also enabled in Firefox Release<a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1301772\">,<\/a> starting with Firefox 51.\u00a0 See <a href=\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/\">this post<\/a> for more details.<br \/>\n<\/strong><\/p>\n<p><em>Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP.<\/em><\/p>\n<p>Username and password pairs control access to users\u2019 personal data. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS. Unfortunately, we <a href=\"https:\/\/telemetry.mozilla.org\/new-pipeline\/dist.html#!cumulative=0&amp;end_date=2016-01-20&amp;keys=__none__!__none__!__none__&amp;max_channel_version=beta%252F44&amp;measure=PWMGR_LOGIN_PAGE_SAFETY&amp;min_channel_version=null&amp;product=Firefox&amp;sanitize=1&amp;sort_keys=submissions&amp;start_date=2015-12-17&amp;table=0&amp;trim=1&amp;use_submission_date=0\">too frequently<\/a> see non-secure connections, like HTTP, used to handle user passwords. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png\" alt=\"Firefox Developer Edition 46+ shows a lock with a red strikethrough on non-secure pages that have a password field, while Firefox Release does include that additional iconography\" \/><\/p>\n<h3 id=\"non-secure-page\"><b>How does Firefox determine if a password field is secure or not?<\/b><\/h3>\n<p>Firefox determines if a password field is secure by examining the page it is embedded in. The embedding page is checked against the algorithm in the <a href=\"https:\/\/w3c.github.io\/webappsec-secure-contexts\/#is-origin-trustworthy\">W3C\u2019s Secure Contexts Specification<\/a> to see if it is secure or non-secure. Anything on a non-secure page can be manipulated by a <a href=\"https:\/\/www.veracode.com\/security\/man-middle-attack\">Man-In-The-Middle (MITM)<\/a> attacker. The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Here are some examples:<\/p>\n<ol>\n<ol>\n<ul>\n<li>Change the form action so the password submits to an attacker controlled server instead of the intended destination. Then seamlessly redirect to the intended destination, while sending along the stolen password.<\/li>\n<li>Use javascript to grab the contents of the password field before submission and send it to the attacker\u2019s server.<\/li>\n<li>Use javascript to log the user\u2019s keystrokes and send them to the attacker\u2019s server.<\/li>\n<\/ul>\n<\/ol>\n<\/ol>\n<p>Note that all of the attacks mentioned above can occur without the user realizing that their account has been compromised.<\/p>\n<p>Firefox has been alerting developers of this issue via the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Insecure_passwords#Webconsole_Messages\">Developer Tools Web Console<\/a> since Firefox 26.<\/p>\n<h3><b>Why isn\u2019t submitting over HTTPS enough? Why does the page have to be HTTPS?<\/b><\/h3>\n<p>We get this question a lot, so I thought I would call it out specifically. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user\u2019s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. As described <a href=\"#non-secure-page\">above<\/a>, active attackers can MITM an HTTP connection between the server and the user\u2019s computer to change the contents of the webpage. The attacker can take the HTML content that the site attempted to deliver to the user and add javascript to the HTML page that will steal the user\u2019s username and password. The attacker then sends the updated HTML to the user. When the user enters their username and password, it will get sent to both the attacker and the site.<\/p>\n<h3><b>What if the credentials for my site really aren\u2019t that sensitive?<\/b><\/h3>\n<p>Sometimes sites require username and passwords, but don&#8217;t actually store data that is very sensitive. For example, a news site may save which news articles a user wants to go back and read, but not save any other data about a user. Most users don\u2019t consider this highly sensitive information. Web developers of the news site may be less motivated to secure their site and their user credentials. Unfortunately, <a href=\"http:\/\/www.jbonneau.com\/doc\/DBCBW14-NDSS-tangled_web.pdf\">password reuse is a big problem<\/a>. Users use the same password across multiple sites (news sites, social networks, email providers, banks). Hence, even if access to the username and password to your site doesn&#8217;t seem like a huge risk to you, it is a great risk to users who have used the same username and password to login to their bank accounts. Attackers are getting smarter; they steal username\/password pairs from one site, and then try reusing them on more lucrative sites.<\/p>\n<h3><b>How can I remove this warning from my site?<\/b><\/h3>\n<p>Put your login forms on HTTPS pages.<\/p>\n<p>Of course, the most straightforward way to do this is to move your whole website to HTTPS. If you aren\u2019t able to do this today, create a separate HTTPS page that is just used for logins. Whenever a user wants to login to your site, they will visit the HTTPS login page. If your login form submits to an HTTPS endpoint, parts of your domain may already be set up to use HTTPS.<\/p>\n<p>In order to host content over HTTPS, you need a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security#Digital_Certificates\">TLS Certificate<\/a> from a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Certificate_authority\">Certificate Authority<\/a>. <a href=\"https:\/\/letsencrypt.org\/\">Let\u2019s Encrypt<\/a> is a Certificate Authority that can issue you free certificates. You can reference <a href=\"https:\/\/wiki.mozilla.org\/Security\/Server_Side_TLS\">these<\/a> <a href=\"https:\/\/mozilla.github.io\/server-side-tls\/ssl-config-generator\/\">pages<\/a> for some guidance on configuring your servers.<\/p>\n<h3><b>What can I do if I don\u2019t control the webpage?<\/b><\/h3>\n<p>We know that users of Firefox Developer Edition don\u2019t only use Developer Edition to work on their own websites. They also use it to browse the net. Developers who see this warning on a page they don\u2019t control can still take a couple of actions. You can try to add \u201chttps:\/\/\u201d to the beginning of the url in the address bar and see if you are able to login over a secure connection to help protect your data. You can also try and reach out to the website administrator and alert them of the privacy and security vulnerability on their site.<\/p>\n<h3><b>Do you have examples of real life attacks that occurred because of stolen passwords?<\/b><\/h3>\n<p>There are ample examples of <a href=\"http:\/\/techcrunch.com\/2014\/10\/14\/dropbox-pastebin\/\">password<\/a> <a href=\"http:\/\/www.billboard.com\/articles\/business\/6413955\/sony-security-kevin-mitnick-electronic-frontier\">reuse<\/a> <a href=\"http:\/\/www.csoonline.com\/article\/2919050\/data-breach\/awareness-lessons-from-the-sony-hack.html\">leading<\/a> to <a href=\"https:\/\/nakedsecurity.sophos.com\/2011\/02\/16\/lessons-to-learn-from-the-hbgary-federal-hack\/\">large<\/a> <a href=\"http:\/\/www.nytimes.com\/2015\/06\/17\/sports\/baseball\/st-louis-cardinals-hack-astros-fbi.html\">scale<\/a> <a href=\"http:\/\/www.geekwire.com\/2014\/hack-attack-prompts-massive-password-reset-yahoo-mail\/\">compromise<\/a>. There are fewer well-known examples of passwords being stolen by performing MITM attacks on login forms, but the basic techniques of javascript injection have been used at scale by <a href=\"http:\/\/arstechnica.com\/tech-policy\/2014\/09\/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality\/\">Internet Service Providers<\/a> and <a href=\"http:\/\/arstechnica.com\/security\/2015\/04\/meet-great-cannon-the-man-in-the-middle-weapon-china-used-on-github\/\">governments<\/a>.<\/p>\n<h3><b>Why does my browser sometimes show this warning when I don\u2019t see a password field on the page?<\/b><\/h3>\n<p>Sometimes password fields are in a hidden &lt;div&gt; on a page, that does not show up without user interaction. We have a <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1216802\">bug<\/a> open to detect when a password field is visible on the page.<\/p>\n<h3><b>Will this feature become available to Firefox Beta and Release Users?<\/b><\/h3>\n<p>Right now, the focus for this feature is on developers, since they\u2019re the ones that ultimately need to fix the sites that are exposing users\u2019 passwords. In general, though, since we are working on <a href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/\">deprecating non-secure HTTP<\/a> in the long run, you should expect to see more and more explicit indications of when things are not secure. For example, in all current versions of Firefox, the Developer Tools Network Monitor shows the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Tools\/Network_Monitor#Security_icons\">lock with a red strikethrough for all non-secure HTTP connections<\/a>.<\/p>\n<h3><b>How do I enable this warning in other versions of Firefox?<\/b><\/h3>\n<p>Users of Firefox version 44+ (on any branch) can enable or disable this feature by following these steps:<\/p>\n<ol>\n<ol>\n<ol>\n<li>Open a new window or tab in Firefox.<\/li>\n<li>Type about:config and press enter.<\/li>\n<li>You will get to a page that asks you to promise to be careful. Promise you will be.<\/li>\n<li>The value of the <em>security.insecure_password.ui.enabled<\/em> preference determines whether or not Firefox warns you about non-secure login pages. You can enable the feature and be warned about non-secure login pages by setting this value to true. You can disable the feature by setting the value to false.<\/li>\n<\/ol>\n<\/ol>\n<\/ol>\n<h3><b>Thank you!<\/b><\/h3>\n<p>A special thanks to Paolo Amadini and Aislinn Grigas for their implementation and user experience work on this feature!<\/p>\n<p><a name=\"insec-pass-footnote1\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update: This feature is now also enabled in Firefox Release, starting with Firefox 51.\u00a0 See this post for more details. Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP. Username and password pairs control access to users\u2019 personal data. Websites should handle this information with care and only request passwords over&hellip; <a class=\"more-link\" href=\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/\" title=\"Read the rest of &#8220;No More Passwords over HTTP, Please!&#8221;\">Read more<\/a><\/p>\n","protected":false},"author":412,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>No More Passwords over HTTP, Please! - Tanvi Vyas<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"No More Passwords over HTTP, Please! - Tanvi Vyas\" \/>\n<meta property=\"og:description\" content=\"Update: This feature is now also enabled in Firefox Release, starting with Firefox 51.\u00a0 See this post for more details. Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP. Username and password pairs control access to users\u2019 personal data. Websites should handle this information with care and only request passwords over&hellip; Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/\" \/>\n<meta property=\"og:site_name\" content=\"Tanvi Vyas\" \/>\n<meta property=\"article:published_time\" content=\"2016-01-28T22:14:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-07-14T20:59:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png\" \/>\n<meta name=\"author\" content=\"Tanvi Vyas\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TanviHacks\" \/>\n<meta name=\"twitter:site\" content=\"@TanviHacks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tanvi Vyas\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/\",\"url\":\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/\",\"name\":\"No More Passwords over HTTP, Please! - Tanvi Vyas\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png\",\"datePublished\":\"2016-01-28T22:14:53+00:00\",\"dateModified\":\"2022-07-14T20:59:30+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#primaryimage\",\"url\":\"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png\",\"contentUrl\":\"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/tanvi\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"No More Passwords over HTTP, Please!\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/tanvi\/\",\"name\":\"Tanvi Vyas\",\"description\":\"Security and Privacy Engineer  - @TanviHacks\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/tanvi\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143\",\"name\":\"Tanvi Vyas\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/tanvi\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=blank&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=blank&r=g\",\"caption\":\"Tanvi Vyas\"},\"description\":\"Security\/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks\",\"sameAs\":[\"https:\/\/blog.mozilla.org\/tanvi\/\",\"https:\/\/x.com\/@TanviHacks\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"No More Passwords over HTTP, Please! - Tanvi Vyas","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/","og_locale":"en_US","og_type":"article","og_title":"No More Passwords over HTTP, Please! - Tanvi Vyas","og_description":"Update: This feature is now also enabled in Firefox Release, starting with Firefox 51.\u00a0 See this post for more details. Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP. Username and password pairs control access to users\u2019 personal data. Websites should handle this information with care and only request passwords over&hellip; Read more","og_url":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/","og_site_name":"Tanvi Vyas","article_published_time":"2016-01-28T22:14:53+00:00","article_modified_time":"2022-07-14T20:59:30+00:00","og_image":[{"url":"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png"}],"author":"Tanvi Vyas","twitter_card":"summary_large_image","twitter_creator":"@TanviHacks","twitter_site":"@TanviHacks","twitter_misc":{"Written by":"Tanvi Vyas","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/","url":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/","name":"No More Passwords over HTTP, Please! - Tanvi Vyas","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/tanvi\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#primaryimage"},"thumbnailUrl":"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png","datePublished":"2016-01-28T22:14:53+00:00","dateModified":"2022-07-14T20:59:30+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/tanvi\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#primaryimage","url":"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png","contentUrl":"https:\/\/hacks.mozilla.org\/files\/2016\/01\/struckthrough-lock-before-after.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/tanvi\/"},{"@type":"ListItem","position":2,"name":"No More Passwords over HTTP, Please!"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/tanvi\/#website","url":"https:\/\/blog.mozilla.org\/tanvi\/","name":"Tanvi Vyas","description":"Security and Privacy Engineer  - @TanviHacks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/tanvi\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/tanvi\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143","name":"Tanvi Vyas","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/tanvi\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=blank&r=g","caption":"Tanvi Vyas"},"description":"Security\/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks","sameAs":["https:\/\/blog.mozilla.org\/tanvi\/","https:\/\/x.com\/@TanviHacks"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/posts\/199"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/users\/412"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/tanvi\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}