Reputation: 9915
Getting around https mixed content issues?
I have an https site that needs data from an API that is only available in http.
To get around the mixed content warning, I changed it so the JS requests a path on the server, which then makes the http request and returns the data.
Is this bad? If it is bad, why?
Upvotes: 0
Views: 94
Answers (1)
Reputation: 1484
My understanding of what you're doing :
You are providing a HTTPS url on your server which is essentially acting as a proxy, making a backend connection between your server and the API provider over HTTP.
If my understanding of what you're doing is correct, then what you're doing is better than just serving everything over HTTP...
You are providing security between the client and your server. Most security threats that would take advantage of a plain HTTP connection are in the local environment of the client - such as on a shared local network. Dodgy wifi in a cafe. School lans. etc.
The connection between your server and the API provider is unencrypted but apparently they only provide that unencrypted anyway. This is really the best you can do unless your API provider starts providing an HTTPS interface.
It's more secure than doing nothing and should eliminate the browser errors.
If there is a real need for security (PCI compliance, HIPAA etc) however, you should stop using that API. However it seems unlikely considering the circumstantial evidence in your question.
Upvotes: 1
Related Questions
- How to deal with mixed content in a website which should be secured as https?
- Allow loading HTTP resources over HTTPS
- https Mixed Content errors
- Getting mixed-content errors even though I’m only using https URLs
- Mixed content errors with https?
- Resolving Mixed Content warning from external insecure server
- Block all mixed content
- non secure items on secure page
- Mixed Content: HTTPS site without specification
- http content on a https page - Mixed content