Encryption and HTTPS

While Authentication and Authorization protect access to the API, Encryption protects the data itself as it travels across the internet. Without encryption, anyone intercepting the traffic (on public WiFi, at the ISP level, etc.) can read your API Keys, passwords, and sensitive user data in plain text.

HTTP vs HTTPS

HTTP (HyperText Transfer Protocol): Text is sent in clear text.

Request: POST /login { "pass": "secret123" }

Hacker sees: POST /login { "pass": "secret123" }

HTTPS (HTTP Secure): Text is encrypted using TLS (Transport Layer Security).

Request: POST /login { "pass": "secret123" }

Hacker sees: Xy9z#%a8... (garbled nonsense)

Fundamentals of TLS (Transport Layer Security)

TLS (the successor to SSL) ensures:

Encryption: The data is hidden.

Integrity: The data hasn't been modified in transit.

Authentication: The server is who it claims to be (via Certificates).

The Handshake (Simplified)

Client Hello: "I want to connect securely."

Server Hello: "Here is my public certificate (Proof of ID)."

Validation: Client checks the certificate with a Trusted Authority (CA). "Is this really api.example.com?"

Key Exchange: Client and Server agree on a "Session Key" to encrypt the rest of the conversation.

Best Practices for APIs

1. Enforce HTTPS Everywhere

Do not support HTTP. Redirect all HTTP traffic to HTTPS, or better yet, use HSTS (HTTP Strict Transport Security) headers to tell the browser "Never try to talk to me over HTTP again."

2. Manage Certificates

Use reputable Certificate Authorities (CAs).

Automate renewal (e.g., Let's Encrypt + Certbot) to avoid expiration outages.

3. Mutual TLS (mTLS)

For highly sensitive, internal, or B2B APIs (e.g., Open Banking), standard HTTPS isn't enough.

Standard HTTPS: Client verifies Server.

mTLS: Client verifies Server AND Server verifies Client.
The client must present its own certificate. This is one of the strongest forms of authentication available.

Encryption at Rest

While HTTPS protects data in transit, don't forget data at rest.

Database: Encrypt the disk volumes or specific columns containing sensitive info (PII).

Backups: Encrypt your database backups!

Key Takeaways

Never deploy an API over plain HTTP.

TLS provides confidentiality and integrity.

mTLS is an advanced option for zero-trust environments.

Next Step: That completes our tour of API Security. Let's recap everything in the Chapter Summary.

HTTP vs HTTPS#

Fundamentals of TLS (Transport Layer Security)#

The Handshake (Simplified)#

Best Practices for APIs#

1. Enforce HTTPS Everywhere#

2. Manage Certificates#

3. Mutual TLS (mTLS)#

Encryption at Rest#

Key Takeaways#