Mobile app version of vmapp.org
Login or Join
Shanna517

: SSL on site which asks API via HTTPS For example I have a site site.com. It has its own http json api: api.site.com. API has authorisation and it runs under https. Now, I need to make visualization

@Shanna517

Posted in: #Api #Https

For example I have a site site.com. It has its own http json api: api.site.com. API has authorisation and it runs under https.

Now, I need to make visualization of some functionality of json api - so I need to make a profile section on site.com:
Authorisation form, and user profile section with actions.

All actions will be done via cURL requests to api.site.com.
Have I use SSL on site.com too?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Shanna517

1 Comments

Sorted by latest first Latest Oldest Best

 

@Chiappetta492

Regarding the server to server communication, it's not really necessary to run SSL on site.com, since the communication it makes with api.site.com will be encrypted and the identity of api.site.com will be trusted (using its certificate). If the main site must authenticate itself with the API subdomain, however, it's a good idea to use SSL there too (although other forms of authentication are possible).

From the end-user perspective, however, things are different: since the browser is communicating to the main site using simple http it can expect no protection against MitM attacks, so any data exchanged this way can be read or manipulated by a malicious third-party. This wouldn't be a problem if this data were public and unimportant, but from what I understood the "user profile" involves credentials (authorization - or would it be authentication?) and other actions which I believe should be restricted to that particular user. In that case, use of SSL in site.com is really necessary.

P.S. If the browser is the one accessing api.site.com, then in principle it wouldn't be a problem - since all communication would be done securely - but OTOH you can't trust the code in your page, since it came from an unprotected site.com. In the end, only having the top level site using SSL would ensure proper security (and ideally, no untrusted content should be mixed in).

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme