How do I force HTTPS only on an API?

cboyd
Participant II

Hi All,

I have an API proxy that doesn't connect to a target server. It is just generating a JWT and returning it. However for the deployments I am getting both HTTP and HTTPS urls. I just want HTTPS. I don't want HTTP to even be an option.

I have looked at some of the other posts and they discuss adding the SSL info in a TargetServer section, but I don't have a target server that this is routing to.

What is the best way to handle this?

Thanks.

0 5 2,129
5 REPLIES 5

Hi @cboyd

I would create a specific API proxy for generating JWT; while doing so, under the "Virtual Hosts" tab I will uncheck the default protocol and check only the Secure (HTTPS) protocol.

6370-screen-shot-2018-01-31-at-15158-pm.png

That works for when you are creating a new proxy. If you have an existing proxy, you can modify the configuration of the proxy endpoint to change the vhost.

Within the proxy editor, click the Develop Tab and select the proxy endpoint.

6371-click-click-modify.png

Example:

<ProxyEndpoint name="endpoint1">
  <Description>Proxy Endpoint 1</Description>
  <HTTPProxyConnection>
    <BasePath>/verify-token</BasePath>
    <Properties/>
    <!--
      Remove or comment out the default ghost 

    <VirtualHost>default</VirtualHost>
    -->

    <VirtualHost>secure</VirtualHost>
  </HTTPProxyConnection>



Save the proxy, re-deploy as necessary, and you will have a proxy listening only on https.

Thanks @Dino and @Naseer Mohammad

Both of you guys helped!

Seems to me like this is a case where you should consider setting HTTP Strict Transport Security (HSTS) in the response header, no?

As a side note, there doesn't seem to be consensus on what to do with the existing HTTP endpoint, but it would be nice to let the developer know that they should use the HTTPS endpoint.

Since APIs are used in clients beyond browsers and for purposes beyond websites/webapps, you may need a solution beyond HSTS. One suggestion from the US Government:

All new APIs should use and require HTTPS. Rather than issue a redirect when visited over HTTP (redirects within APIs are problematic, as outlined below), the API should likely return an error message (such as the HTTP status code 403 Forbidden).