Runscope, Inc. Blog Error # 2 - "Forgetting the Seasoning or Using http:// Instead of https://

Just like failing to add salt to a dish causes a diner to wince, forgetting a single “s” can cause some surprises during API testing. Many APIs will only support HTTPS, while others may support a combo of HTTP for some endpoints and not others. Even if an API has the apparent flexibility to support both, there can still be problems.For example, some APIs will conveniently redirect HTTP requests to their HTTPS counterpart; however, not all frameworks are configured to follow a 302-status code.An example is the Node.js® ‘request’ module, which will follow a GET redirect by default, but has to be explicitly configured to follow non-GET responses (PUSH, POST, etc) as redirects. It is also common for an API provider to stop supporting HTTP. Good providers will notify you well in advance via their websites, dev communities, and social media. An example was the Instant Payment Notification microsite of PayPal.® It’s important to stay up-to-date and integrate important update notices into your own developer communication channels. On the API provider side, it’s important that HTTPS strategies are in place to ensure the secure, private, and reliable connections users, customers and partners expect from your APIs. The process for getting certificates might have previously been used as an excuse for not moving to HTTPS, however, solutions like Let’s Encrypt® – an open certificate authority – have helped lessen the pain. Download the Full Whitepaper