Your API Shouldn't Redirect HTTP to HTTPS

The common practice of redirecting API calls from HTTP to HTTPS should be reconsidered. Many programmatic API clients don't keep browser-like state of things like HSTS headers they have seen. The usability-security tradeoff argument doesn't apply as APIs are mostly consumed by other software. HTTP interfaces should be disabled entirely or return clear error responses for unencrypted requests. API credentials sent over unencrypted connections should be considered compromised and revoked.

Read More