Instead of redirecting API calls from HTTP to HTTPS, make the failure visible. Unfortunately, many well-known API providers don't currently do so.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

This post argues that APIs should not redirect HTTP to HTTPS due to the downsides and potential security risks involved. It highlights the importance of a fail-fast approach for unencrypted API calls and suggests disabling the HTTP interface or returning clear error responses for unencrypted requests. The post also mentions popular APIs that either redirect or respond with plaintext, and suggests amending best practices to explicitly recommend against redirecting HTTP to HTTPS for APIs.

Your API Shouldn't Redirect HTTP to HTTPS

Bonus Round: Popular APIs That Respond In Plaintext

<blockquote>
revoke API keys sent over the unencrypted connection.
</blockquote>
The 8 most important words of the article

Great point! Disabling HTTP in APIs is crucial for security. Redirects can hide errors and expose sensitive data. Do you agree that APIs should reject insecure HTTP requests instead of redirecting to HTTPS?

Never thought of this, but extremely useful. I’m going to be mindful of that now

Great article and absolutely great idea. I always said that HTTP is no longer needed with the launch of services like LetsEncrypt. And I absolutely love the idea of automatically revoking of API keys sent over HTTP.