6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"Should I need to force HTTPS from a mobile app to API?\",\"text\":\"

If my mobile app only makes requests using HTTPS to my API, do I need to worry about forcing HTTPS/disallowing HTTP requests?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"mergesort\"},\"upvoteCount\":0,\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

Yes you do. TLS is susceptible to something known as a Downgrade Attack. So be sure to force it to be HTTPS using HSTS (HTTP Strict Transport Security) and disallowing normal HTTP requests in your application server.

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"ircmaxell\"},\"upvoteCount\":2}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","security",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/security/1","children":"security"}]}],["$","span","http",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/http/1","children":"http"}]}],["$","span","mobile",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/mobile/1","children":"mobile"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/c3cdf923e36a680f1b4ce2a996a9f2d3?s=256&d=identicon&r=PG&f=y&so-version=2","alt":"mergesort","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/629599/mergesort","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"mergesort"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",5197]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"Should I need to force HTTPS from a mobile app to API?"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

If my mobile app only makes requests using HTTPS to my API, do I need to worry about forcing HTTPS/disallowing HTTP requests?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",0]}],["$","p",null,{"children":["Views: ",40]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","29718637",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/a32a990c257433d3252980e059341546?s=256&d=identicon&r=PG","alt":"ircmaxell","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/338665/ircmaxell","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"ircmaxell"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",165201]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",2]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","34965449",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/34965449","className":"text-blue-600 hover:underline","children":"How should I secure an API for use with a mobile app?"}]}],["$","li","71667127",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/71667127","className":"text-blue-600 hover:underline","children":"REST APIs can be developed without HTTPS and JWT if consumed by Android Application only?"}]}],["$","li","42914659",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/42914659","className":"text-blue-600 hover:underline","children":"Rest API security for mobile apps"}]}],["$","li","57580777",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/57580777","className":"text-blue-600 hover:underline","children":"Will HTTPS API for a mobile app protect against Wireshark and similar?"}]}],["$","li","52609170",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/52609170","className":"text-blue-600 hover:underline","children":"Included a HTTP (not HTTPS) URL link in my iOS App, do I need to disable App Transport Security?"}]}],["$","li","48405271",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/48405271","className":"text-blue-600 hover:underline","children":"Does Apple require HTTPS from iOS Apps? 2018 Version"}]}],["$","li","39743871",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/39743871","className":"text-blue-600 hover:underline","children":"Does iOS "app transport security enforcement“ mean I need to switch APIs to https?"}]}],["$","li","15273705",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/15273705","className":"text-blue-600 hover:underline","children":"Security When Using REST API in an iPhone Application"}]}],["$","li","14813556",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/14813556","className":"text-blue-600 hover:underline","children":"Mobile API Security Paradigm"}]}],["$","li","5174001",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/5174001","className":"text-blue-600 hover:underline","children":"HTTPS - iPhone to API - Is URL secure?"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

Should I need to force HTTPS from a mobile app to API?

Answers (1)

Related Questions