ToddK Posted November 17, 2016 Share Posted November 17, 2016 (edited) i enabled webservice today and found that it does not force SSL so it works with h ttps and h ttp. Should I be concerned h ttp works? Edited November 17, 2016 by Med_Todd (see edit history) Link to comment Share on other sites More sharing options...
tobiasbp Posted November 17, 2016 Share Posted November 17, 2016 You should not use unencrypted connections (http) since your keys can be obtained by a 3rd party. Web service is not supposed to enforce encryption. You should choose to use it. You can get free certificates here: https://letsencrypt.org/ Link to comment Share on other sites More sharing options...
ToddK Posted November 17, 2016 Author Share Posted November 17, 2016 Than you for your quick reply I have my htaccess file set to force encryption (https) on all pages. but when I enabled webservice I checked to ensure the examplesite . com/api forced https I found it did not. Is there a way to disable the unencrypted access (http) or is it just an expectation remote users to use (https) Link to comment Share on other sites More sharing options...
tobiasbp Posted November 17, 2016 Share Posted November 17, 2016 You should redirect all traffic on port 80 (http) to 443 (https). You should not let the user of api make security choices for your site. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now