Securing JSON API endpoints using HTTPS

Hi everyone!

I saw this thread in which it is stated that JSON API endpoints cannot be exposed as https.

I wanted to check in to ask whether this has changed (I checked the help text for json api and didn’t see anything immediately related but wanted to make sure) and if this hasn’t changed, are there plans to implement this in the near future?

Thanks!

The JSON API server itself is not at the moment able to handle SSL termination.

Note that this is an extremely common limitation for application servers, with a very well-known solution: use another process, on the same box, to handle SSL termination and proxy requests as HTTP locally. Many servers handle that very well (nginx, apache, lighttpd, etc.), and many load balancers offer SSL termination as a feature too (though that’s a little bit less secure as the load balancer is generally not on the same box).

In general, given how tricky security is, you’re much better off using a well-known, separate component to handle SSL termination than try to add it to each application server.