HTTPS website+API, confusion about best practices?
Let's say we have a site
www.coolstore.com
that accesses
api.coolstore.com
What is the best practice and possible attack vectors when not sticking to them?
It seems that www.coolstore.com should be under https://www.coolstore.com. What about assets? Let's say we force a redirect to https:// on the site itself, but not on assets. e.g. you copy the request and change it to http you can access some javascript files. Would that be a problem?
How about API ? Is it neccesary that also api.coolstore.com requires https, even though it's only used by the website? Should it have http:// completely turned off?
Is there some manual of best practices with deploying react site + api ?
8 comments
[ 3.4 ms ] story [ 34.7 ms ] threadDon't use HTTP for API even if you could. Usually servers will return status 301 (client-side redirect) directed to the same URL but using HTTPS to any HTTP request.
Don't mix hostnames - do coolstore.com/api instead - that frees you from cross-origin security issues.
For example:
You set up NGINX on ports 80 and 443 and open these ports (TCP for 80 and TCP/UDP for 443) to the internet, and close all other ports. Your backend runs on port 3000, and you configure NGINX to proxy pass coolstore.com/api to said port 3000.
All client-traffic HTTPS is handled on the NGINX proxy (it can also serve your static files very well). Any HTTP requests are sent response status 301 with HTTPS version of request URL.
It's conceivable that at some point every resource loaded on an HTTPS page will require HTTPS, too.
https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...
Whether you have api.coolstore.com or not, that is more of a design decision. It is a common practice to setup website and API separate where API is hosted on subdomain. So you could do coolstore.com and api.coolstore.com but install https on both and setup http->https redirect to both.