: SSL on site which asks API via HTTPS For example I have a site site.com. It has its own http json api: api.site.com. API has authorisation and it runs under https. Now, I need to make visualization

@Chiappetta492

Regarding the server to server communication, it's not really necessary to run SSL on site.com, since the communication it makes with api.site.com will be encrypted and the identity of api.site.com will be trusted (using its certificate). If the main site must authenticate itself with the API subdomain, however, it's a good idea to use SSL there too (although other forms of authentication are possible).

From the end-user perspective, however, things are different: since the browser is communicating to the main site using simple http it can expect no protection against MitM attacks, so any data exchanged this way can be read or manipulated by a malicious third-party. This wouldn't be a problem if this data were public and unimportant, but from what I understood the "user profile" involves credentials (authorization - or would it be authentication?) and other actions which I believe should be restricted to that particular user. In that case, use of SSL in site.com is really necessary.

P.S. If the browser is the one accessing api.site.com, then in principle it wouldn't be a problem - since all communication would be done securely - but OTOH you can't trust the code in your page, since it came from an unprotected site.com. In the end, only having the top level site using SSL would ensure proper security (and ideally, no untrusted content should be mixed in).

Vote Up Vote Down