Update Transport_Layer_Security_Cheat_Sheet.md (#1408)

Closes #1407.
OWASP · May 23, 2024 · 613798b · 613798b
1 parent dbd8f1d
commit 613798b
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/cheatsheets/Transport_Layer_Security_Cheat_Sheet.md b/cheatsheets/Transport_Layer_Security_Cheat_Sheet.md
@@ -158,6 +158,8 @@ TLS should be used for all pages, not just those that are considered sensitive s
 
 For public facing applications, it may be appropriate to have the web server listening for unencrypted HTTP connections on port 80, and then immediately redirecting them with a permanent redirect (HTTP 301) in order to provide a better experience to users who manually type in the domain name. This should then be supported with the [HTTP Strict Transport Security (HSTS)](#use-http-strict-transport-security) header to prevent them accessing the site over HTTP in the future.
 
+API-only endpoints should disable HTTP altogether and only support encrypted connections. When that is not possible, API endpoints should fail requests made over unencrypted HTTP connections instead of redirecting them.
+
 ### Do Not Mix TLS and Non-TLS Content
 
 A page that is available over TLS should not include any resources (such as JavaScript or CSS) files which are loaded over unencrypted HTTP. These unencrypted resources could allow an attacker to sniff session cookies or inject malicious code into the page. Modern browsers will also block attempts to load active content over unencrypted HTTP into secure pages.