Reputation: 1569
Should HTTPS be used for all calls involving authorization
It's common to use HTTPS for authentication, so the authentication details from client cannot be sniffed. However once the user is logged in then subsequent calls to a web app passing some sort of auth id which then the web app will then use to authorise with, should that not also be HTTPS? How is this done in things like Facebook? Seems easier to make all traffic HTTPS.
Upvotes: 0
Views: 62
Answers (2)
Reputation: 318578
Assuming the server can handle it, I'd go a step further and use SSL for everything, no matter if users are logged in or not.
This has the advantage that an eavesdropper doesn't even know if the user is accessing your site/app as a guest or as an authenticated user. It also saves you from having to decide when to use SSL and when not.
Upvotes: 2
Reputation: 708
An answer by Jeff Atwood:
http://www.codinghorror.com/blog/2012/02/should-all-web-traffic-be-encrypted.html
Upvotes: 3
Related Questions
- Do I run significant risks by having my API called as HTTP rather than HTTPS?
- SSL: Do I need to secure every endpoint
- Is HMAC necessary if all API calls are made through https?
- Will an API call over HTTP be secure if it is made after some kind of authentication?
- If my web site is HTTPS does every call for data or a static page have to be HTTPS also?
- Authenticating users with tokens useless after HTTPS?
- Making all my methods require https a good idea?
- Is it necessary to use HTTPS for server side requests?
- Is HTTPS protocol relevant for REST API Webservices?
- Safe to send login credentials using HTTP and not HTTPS?