HTTPS is the secure version of HTTP, which stands for "HyperText Transfer Protocol." HTTP is the foundation for any data exchange on the web, and HTTPS adds a layer of security to this exchange. The security in HTTPS is achieved through SSL (Secure Sockets Layer) or its successor TLS (Transport Layer Security). These are cryptographic protocols designed to provide communications security over a computer network. They encrypt the data that is transferred between a device and the server, making it difficult for eavesdroppers to understand the information even if they can intercept it. When connecting to an API endpoint via HTTPS, the connection is encrypted from the client side (like a browser or application) to the server. This ensures that malicious actors can't easily read or tamper with the data being transferred.
This rule applies at the API Specification level (OAS/Swagger).
Man-in-the-Middle (MitM) Attacks: This kind of attack is where attackers intercept communication between the client and the server. Hosting an API on an insecure host can allow an attacker to eavesdrop or impersonate one of the parties, this can result in the attacker gaining access to sensitive data, manipulating requests or responses, and potentially stealing credentials or other confidential information.
