I have a .net API that’s used by clients to get HTML templates that we build based on their request, and then send it back to them so they can paint it on their page.
What I’m wondering about is simply a best-practice case for a specific behavior of the API. It’s set up such that the protocol we put in for all the links and images/assets in the template match the protocol of the incoming request, to avoid those annoying mixed content security messages that come up when sending http content over https requests/pages.
I’m being told that I should change the content we delivery to always use the https protocol, even when being called over an http request. I’ve already looked at a lot of other questions on here, like this one here, but they’re all about the opposite direction of what I’m doing.
So my question is, aside from performance differences with using https only, is there a reason I shouldn’t be just forcing everything to be https even from http locations?
A client that does not support https or does not trust your certificate.
I doubt either would happen but you asked for a reason.
Personally I think it is just courteous to respond with the same protocol as the request.
If the data is sensitive then I assume you would not honor HTTP all all.