[Fixed]-Can i make a call to http://api.example.com from https://example.com?

0đź‘Ť

âś…

Your browser will stop this and/or give an insecure warning and a padlock symbol for your HTTPS connection.

HTTPS indicates the site is secure, which gives certain guarantees to the visitor – namely that the site is for the given domain (authentication), that it’s not been intercepted and changed (integrity) and that no one else is able to listen in to your messages to and from the server (confidentiality).

When you add an insecure resource like an api call, those guarantees are no longer there and so the browser will give a “insecure” warning, typically with a yellow warning padlock (instead of green) and/or a pop up.

Browsers used to differentiate between inactive content (e.g. images) – which were seen as less of a risk and so allowed, and active content (e.g. JavaScript) – which were potentially dangerous and so not allowed, however don’t think they do any more. Even if they did Ajax XHR calls are definitely in the latter category.

Best option is to proxy pass the request through your main site domain through Nginx (e.g. forward requests to https://example.com/api from Nginx to your api using Nginx config).

👤Barry Pollard

1đź‘Ť

The only difference between HTTP and HTTPS is the SSL security part, if your server is able to handle HTTPS requests they will be send through to the API just like any other HTTP request, it’s only the actual data communication from the client socket to the server socket that is affected, once the data is received it’s back in plain text (or it’s original format) again.

👤MegaMiley

Leave a comment