Reputation: 547
HTTPS page with HTTP API content: best practices
I have an HTTPS site that uses the Google Books API to generate a page of book images. However, the book cover images from Google Books are only available via HTTP, which results in mixed content warnings for any page on my site that displays the books.
What is the recommended practice in this scenario? As I see it, I have three options:
Leave it as. My page will technically be insecure for end users and will display mixed content warnings.
Cache the images on my server and display the local copy to users. This will remove the mixed content warning, but it seems that in this case my server is vulnerable to MITM attacks and such because it is downloading content over HTTP. Doesn't sound appealing.
Stop using the API and scrap the whole feature from the website. Obviously not an appealing choice.
None of these looks good. Is there some magic-bullet solution that I just don't know?
Upvotes: 0
Views: 476
Answers (1)
Reputation: 46070
I'd go for option 2 as being the most transparent. Actually you don't need a cache (if you don't want it) but just a proxy that will receive HTTPS requests, send HTTP request and pass the received data back to the HTTPS client.
Upvotes: 3
Related Questions
- Do I run significant risks by having my API called as HTTP rather than HTTPS?
- Web-api security: SSL?
- API security question: SSL or more?
- Securing API with access token
- Using a RESTful API - Is it secure?
- Authentication security concerns
- How to secure an API
- Does https make this any more secure?
- Security advice: SSL and API access
- SSL: How to balance API performance with security?