Reputation: 41
Do I run significant risks by having my API called as HTTP rather than HTTPS?
I have a GET API that is called by a JS snippet to offload some computation from the browser. There is no reason that any actual user would directly call the API (and would be a violation of our ToS if they did).
Is there a significant risk if we call this API as a http request rather than https? It should reduce our response times, however we're not sure if this represents a vulnerability to either us or our users.
Upvotes: 0
Views: 180
Answers (2)
Reputation: 397
Yes. You risk MITM attacks or Man-in-the-middle. Someone impersonating your server and spying on your client's request and even potentially changing them.
Upvotes: 1
Reputation: 875
If you make XMLHttpRequest or fetch() requests to your HTTP API from HTTPS pages you will get mixed content errors
Upvotes: 2
Related Questions
- API security question: SSL or more?
- Is solely using HTTPS adequate for securing API RESTful web-application?
- HTTPS page with HTTP API content: best practices
- What are the security ramifications of checking security with an HTTP call to an external server?
- Making all my methods require https a good idea?
- Using a RESTful API - Is it secure?
- Is HTTPS protocol relevant for REST API Webservices?
- Does https make this any more secure?
- Security advice: SSL and API access
- SSL: How to balance API performance with security?