HTTP / HTTPS Support
When your subscribers call your service through WebServius, you may allow them to use either HTTP, HTTPS (secure HTTP connection), or both.
It does not matter how your actual service is hosted: for example, you can host your service using HTTP, but still allow subscribers to call it using HTTPS through WebServius. In this case, WebServius will get the subscriber call via HTTPS and forward it to your service via HTTP.
HTTPS encrypts the traffic (so it cannot be eavesdropped on by someone else), and gives the subscriber assurance that the subscriber is actually connected to WebServius and not to some other site pretending to be WebServius. However, it imposes a significant performance penalty. In the future, WebServius may start charging higher fees or imposing tighter limits on HTTPS traffic for this reason.
Currently, the only authentication mode offered by WebServius is including the developer key as a URL parameter when invoking the service. Unfortunately, this means that the key can be stolen unless the traffic is over HTTPS. In the future, WebServius will offer additional authentication methods that are secure even over simple HTTP.
Taking all of the above into account, the current guidance is as follows:
- If your API deals with private/sensitive data (e.g. private account balances / credit card numbers), or you are worried about spoofing attacks (someone pretending to be you and providing your subscribers with fake data), or you expect access to your API to be expensive, consider making your service HTTPS Only, but keep in mind the performance implications mentioned above.
- For most paid APIs, HTTP or HTTPS would be a good choice. This gives your subscribers the flexibility to choose between a more performant or a more secure connection method.
- For most free APIs, HTTP Only would be a good choice. Even if someone steals a free API key, in most scenarios the damage is minimal.