Introduction
Hello,
I’m that typical programmer that know how to use api, but tend to realize that I should know more about using api, raises my shoulders and keep using what I know.
I know how to troubleshoot api (even though I hate doing it) and I know that most of the time it’s a really good idea to heavily validate the data being sent to my own api, in case someone else likes to send their own values instead of intended.
Question
One thing I do can’t grasp though is why is it considered necessary use SSL/https on api calls between 2 sites? For instance; my site does a curl to an api on another site. There is no user nor browser between the call of these 2 sites.
Perhaps I’ve missed some common rule in web practice, but where’s the middle-man which can joink sent information at a situation like this?
I understand that a malicious software can collect your personal data when it’s sent through your browser though.
The question is basicly; why is there a need for SSL when doings calls without any private user directly invovled in the call?
Extra thoughts
If it’s the case where I’ve missed some really big information regarding api, let me know.
Thanks for your time!
A browser/user doesn’t have to be directly involved to sniff network packets. Using cURL on your web server is the same as using a browser from your home computer except for the fact that the request is coming from a different computer/network and there is no GUI. Someone can still be listening somewhere in between the computer executing cURL (client) and the server that the API resides on (server).
It’s best to require SSL for API calls because APIs usually require a key that grants access to the API. If this request is sent in plain text, anyone sniffing packets in between the server and client can see this API key and start using it. On the other hand, if the API request is set via SSL it will be encrypted and much more difficult to figure out.