It's secure to redirect tha API calls made with HTTP to my server to HTTPS?

Question

I have a Nodejs server that communicates via a REST API with HTTP. I would like now to change the protocol of transmission of all my requests from HTTP to HTTPS. The problem is that I cannot change the client code.

I would like to know if redirecting all HTTP request on the server to https is enough to have the data sent with encryption. Or if I must modify the code that runs on the client and that makes the request with HTTP protocol.

I have to do it because the data should not be sent in clear as there are some sensitive data that are sent (username, password, position information).

Thanks.

Answer 1

The purpose of using HTTPS is not just encryption. It also provides authentication of the server to the client, among others.

One problem with having a client that makes plain http requests (regardless of then being redirected) is that an attacker may create a fake server, to which the client would talk to, revealing secrets or pulling fake data. Without requests being made over https initially, there is nothing to stop an attacker from doing this.

Even worse, an attacker can just listen in to traffic to the real server. If a man-in-the-middle attack is possible (like for example the attacker is on the same local network as either the client or the server), the attacker can hijack the initial plaintext request, talk on HTTPS to the API, then respond on plain http to the client, and so on, for all requests. From the client's perspective, it "just works", from the server's perspective, it's all good, on https.

This is called SSL Stripping.

So the only solution is to have the client do all requests (including the first one) over https. One way to ensure this with browser clients is to use the Strict-Transport-Security (HSTS) response header. For non-browser clients, you can implement them to either comply with HSTS or simply make all requests over https.