Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How do I ensure that all requests to our API is via https? Do we use an .htaccess file to automatically redirect to ssl, or should we just refuse connections that are not over https with an error message? If its the second one, whats the best way of achieving this?
You should make life as easy as possible for the users of your API – but “easy” for a developer usually means explicit.
My strong preference in these situations is to treat this as a violation of a pre-condition, and throw an error. If your API is RESTful, one of the HTTP errors has my preference – e.g. a custom error 503 FORBIDDEN, with custom text explaining you must connect on SSL.
A developer who mistakenly connects to the non-encrypted service end point will get immediate, clear, human-readable feedback.
I would caution against a redirect – this achieves its goal as a side effect, and may well work when the developer connects using a web browser, and fail when using their web service client (not all of which play nice with redirects, in my experience).
I would also prefer throwing an error over simply not opening the HTTP port/listener – it usually takes a while for the connection to time out, which would lead your client developer to think the server is down, rather than immediately realize the root cause of the error.