HTTP vs HTTPs

Wherever possible we should remove tight coupling of business logic on products and services, to ensure services can be used in discreet chunks (aka APIs!).

Working back with our own Security team, there is a strong desire to push internal business logic onto public-facing APIs.

A recent case came up with regards to HTTP vs HTTPS - should all APIs be HTTPS, or should we give developers a choice?

Security would argue that we should be setting the standard on best practice, and all APIs should be HTTPS only. That the overheads are small for developers going to HTTPS, so given it's best practice lets set that as a general rule.

My view is that we should give developers a choice of either HTTP, or HTTPS depending on the sensitivity in the data being exposed/written. For example, it makes no sense to encrypt publicly available weather data, so why put the overhead of HTTPS on developers.

What are people's thoughts on this?

Solved Solved
1 2 1,697
1 ACCEPTED SOLUTION

Great Question @David.A.Freeman ,

I believe, If you’re building APIs, you should most definitely be using HTTPS.

It’s easy and builds user trust, so there’s no excuse not to. As developers, it’s our job to help protect user security — and one of the best ways to do that is to force HTTPS for all APIs.

As a developer, I will trust APIs with HTTPS even though they deliver publicly available data. It's like a "verified" account where developers can trust the data coming in. Even if you are exposing public data, You might like to track it who is using it using Developer APPs & Keys. Once keys comes into the picture, you will definitely need HTTPS.

Hope it helps.

View solution in original post

2 REPLIES 2

Great Question @David.A.Freeman ,

I believe, If you’re building APIs, you should most definitely be using HTTPS.

It’s easy and builds user trust, so there’s no excuse not to. As developers, it’s our job to help protect user security — and one of the best ways to do that is to force HTTPS for all APIs.

As a developer, I will trust APIs with HTTPS even though they deliver publicly available data. It's like a "verified" account where developers can trust the data coming in. Even if you are exposing public data, You might like to track it who is using it using Developer APPs & Keys. Once keys comes into the picture, you will definitely need HTTPS.

Hope it helps.

Not applicable

As a design practice, usually all data that available in the public domain and that is not identified / authenticated by users can be HTTP. However, once we are talking about context and user specific details or data that may be sensitive ( obviously ) should be behind HTTP(s)

As a design, 'secure all' may not always be the best practice because of the cost of transactions etc. However, since we are talking about API's metering is an important aspect to keep track of who is doing what and how much ( context ), therefore in majority of the API use cases you will end up putting HTTP(s).

Securing all behind HTTP(s) is also important because data that is sent over HTTP can be read by anyone in plain text ( plain JSON/XML) and is also cached in places that are beyond API's control.