I believe by accident I setup a backend URL with only HTTP instead of HTTPS and it was accepted.
For example, http://api.backendless.com/v1/data/<TableName> instead of https://api.backendless.com/v1/data/<TableName>.
Can there be a configuration item added to state that only HTTPS is to be accepted?
Hi Roy!
Currently you can use both http and https in backend URL without any restrictions.
But idea with configuration item sounds rather useful and interesting.
We will discuss it with development team. Thanks!
Regards,
Kate.
Hi Roy,
Since you as a developer would have ultimate control over how your app communicates with the backend, and thus you can choose between https:// and http://, what value would the configuration item add?
Regards,
Mark
I think it would provide a degree of certainty that all URL’s used in the application would have to follow this further security tightened access rule of using HTTPS only. I wouldn’t want to accidentally have a misconfiguration or incorrect piece of code that should have been using the more secure method.
I think having a configuration item in the account’s settings to turn on/off using only HTTPS would greatly benefit application security against the above, and also MITM attacks.
If I understand correctly, this would be protection against developer’s own negligence, right? Specifically, a developer who uses the REST APIs, since all other SDKs we provide already include https-based URI in the libraries.
That is good to know that the support SDKs do support the HTTPS and essentially is enforced at that level.