Fix HTTP→HTTPS redirect handling in PyMISP API client

[Copilot]

PyMISP was returning API description pages instead of actual API responses when using HTTP URLs that redirect to HTTPS. The session.send() call wasn't following redirects, causing the client to receive the initial redirect response rather than the final redirected response.

Changes

• Enable redirect following (api.py:4142): Added allow_redirects=True to session.send() in _prepare_request()
• Add HTTP URL warning (api.py:181-183): Log warning when HTTP URLs are used to guide users toward HTTPS
• Add unit tests (test_api_redirect.py): Validate redirect parameter passing and warning behavior

# Before
return self.__session.send(prepped, timeout=self.timeout, **settings)

# After
return self.__session.send(prepped, timeout=self.timeout, allow_redirects=True, **settings)

Backward compatible - HTTPS URLs continue to work unchanged. Addresses issue reported in #1034.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• misp.example.com
  • Triggering command: /usr/bin/python python /tmp/test_redirect_fix.py (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Problem

Issue #1034 reported that when using an http:// URL instead of https://, the add_event() method returns an API description dictionary instead of the created event object. This occurs because:

1. Many MISP servers automatically redirect HTTP requests to HTTPS
2. PyMISP's _prepare_request() method doesn't explicitly handle redirects
3. When a redirect occurs, the response contains an API description page instead of the actual API response

As confirmed in the issue comments:

"The problem is solved, I'm afraid to admit, that I tried using an http and not an https URL. This somehow resulted in the issue above."

This has affected multiple users (most recently in February 2026), causing confusion and debugging time.

Solution

Fix the redirect handling in the _prepare_request method in pymisp/api.py:

1. Add allow_redirects=True to session.send()

In the _prepare_request method (around line 4138), modify the session.send() call to:

return self.__session.send(prepped, timeout=self.timeout, allow_redirects=True, **settings)

Currently it's:

return self.__session.send(prepped, timeout=self.timeout, **settings)

2. Add URL validation warning in __init__

In the __init__ method (around line 175-180), after setting self.root_url, add a warning if HTTP is used:

self.root_url: str = url
# Warn if using HTTP instead of HTTPS
if self.root_url.startswith('http://'):
    logger.warning('Using HTTP instead of HTTPS for MISP connection. This may cause redirect issues. Consider using HTTPS.')

Testing

The fix should:

• Allow HTTP URLs to properly redirect to HTTPS when the server is configured to do so
• Maintain backward compatibility with existing HTTPS connections
• Provide clear warnings to users about potential issues with HTTP URLs

Files to Modify

• pymisp/api.py: Update _prepare_request method (around line 4138) and __init__ method (around line 175-180)

References

• Issue: add_event behaves really unexpected, returning a description(?) #1034
• Root cause identified in: add_event behaves really unexpected, returning a description(?) #1034 (comment)
• Recent occurrence: add_event behaves really unexpected, returning a description(?) #1034 (comment)

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Rafiot]

Slop: https://github.com/psf/requests/blob/main/src/requests/sessions.py#L693