I’m creating an API intended to be used by Javascript clients hosted on different

Question

0

Editorial Team

Asked: May 23, 20262026-05-23T04:15:39+00:00 2026-05-23T04:15:39+00:00

I’m creating an API intended to be used by Javascript clients hosted on different

0

I’m creating an API intended to be used by Javascript clients hosted on different domains via CORS requests.

My API can only be accessed via HTTPS.

I’d like to restrict access to only those Javascript clients that are also served from HTTPS domains.

Reading the CORS spec – http://www.w3.org/TR/cors/#user-agent-security – it appears that most user agents will automatically prevent HTTPS client to HTTP API requests.

Is it possible to require the reverse – i.e. prevent HTTP clients accessing my HTTPS API?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-23T04:15:40+00:00

Editorial Team

2026-05-23T04:15:40+00:00Added an answer on May 23, 2026 at 4:15 am

What about checking the Referer header to see if it begins with “https”? You could also verify that the Referer matches the Origin domain as a sanity check.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m creating an API intended to be used by Javascript clients hosted on different

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply