Skip to content

HTTPS and TLS for APIs — Complete Security Guide

DodaTech Updated 2026-06-28 3 min read

In this tutorial, you will learn about HTTPS and TLS for APIs. We cover key concepts, practical examples, and best practices to help you master this topic.

HTTPS (HTTP Secure) uses TLS (Transport Layer Security) to encrypt communication between clients and your API server. Without it, all data including passwords and tokens travels in plain text over the network.

What You'll Learn

You'll learn how TLS works, how to enable HTTPS on your API server, and best practices for certificate management.

Why It Matters

Every major browser and mobile platform now mandates HTTPS. APIs without HTTPS expose credentials, tokens, and data to anyone on the same network.

Real-World Use

A banking API without HTTPS allows anyone on a public WiFi network to intercept account numbers and Transaction details using tools like Wireshark.

sequenceDiagram
    participant Client
    participant Server
    participant CA as Certificate Authority
    Client->>Server: ClientHello (supported TLS versions, cipher suites)
    Server->>Client: ServerHello (selected TLS version, cipher suite) + Certificate
    Client->>CA: Verify certificate signature
    CA-->>Client: Certificate valid
    Client->>Server: Pre-master secret (encrypted with server's public key)
    Server->>Client: Finished (encrypted with session key)
    Client->>Server: Finished (encrypted with session key)
    Note over Client,Server: Secure encrypted channel established

Teacher's Mindset

HTTPS is like sending a letter in a sealed envelope instead of a postcard. TLS ensures only the recipient can open the envelope, and no one can alter the contents during delivery.

Enabling HTTPS on Your API

# Python Flask with HTTPS
from flask import Flask, jsonify
import ssl

app = Flask(__name__)

@app.route("/api/health")
def health():
    return jsonify({"status": "healthy"})

if __name__ == "__main__":
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    context.load_cert_chain(
        certfile="/etc/ssl/certs/api.crt",
        keyfile="/etc/ssl/private/api.key"
    )
    app.run(host="0.0.0.0", port=443, ssl_context=context)
// Node.js with HTTPS
const https = require("https");
const fs = require("fs");
const express = require("express");

const app = express();
app.get("/api/health", (req, res) => {
  res.json({ status: "healthy" });
});

const options = {
  cert: fs.readFileSync("/etc/ssl/certs/api.crt"),
  key: fs.readFileSync("/etc/ssl/private/api.key")
};

https.createServer(options, app).listen(443);
# NGINX reverse proxy with TLS
server {
    listen 443 ssl;
    server_name api.example.com;

    ssl_certificate /etc/ssl/certs/api.crt;
    ssl_certificate_key /etc/ssl/private/api.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location /api/ {
        proxy_pass http://localhost:5000;
    }
}

Common Mistakes

Mistake Why It's Wrong Fix
Using self-signed certs in production Browsers and clients reject them Use Let's Encrypt or commercial CA
Disabling certificate validation Enables man-in-the-middle attacks Always validate certificates client-side
Using outdated TLS 1.0 or 1.1 Vulnerable to POODLE and BEAST attacks Enforce TLS 1.2 or higher
Exposing private keys Anyone can impersonate your server Store keys in a secrets manager, restrict file permissions
Not redirecting HTTP to HTTPS Users may accidentally use insecure connection Set up 301 redirect from HTTP to HTTPS

Practice Questions

  1. What does TLS protect against?
  2. How does the TLS handshake establish a shared secret?
  3. What is the difference between a self-signed certificate and a CA-signed certificate?
  4. Why should TLS 1.0 and 1.1 be disabled?
  5. How does HSTS help enforce HTTPS?

Challenge

Set up a Node.js HTTPS server with a Let's Encrypt certificate using the ACME protocol. Redirect all HTTP traffic to HTTPS.

FAQ

Can TLS be used without HTTPS?

Yes. TLS wraps any TCP connection. StartTLS in SMTP and IMAP, HTTPS in HTTP, and secure WebSocket (wss) all use TLS.

What is the difference between SSL and TLS?

SSL is the deprecated predecessor. TLS 1.0 was based on SSL 3.0. Use TLS 1.2 or 1.3 only.

How long do TLS certificates last?

As of 2024, maximum validity is 90 days for Domain Validation certificates. Let's Encrypt certificates expire after 90 days.

What is OCSP stapling?

A TLS extension where the server sends a signed OCSP response during the handshake, proving the certificate has not been revoked.

Do I need HTTPS for internal microservices?

Yes. Internal traffic can still be intercepted. Use mTLS for mutual authentication between services.

Mini Project

Deploy an API with a Let's Encrypt certificate using Certbot. Implement automatic renewal with a cron job. Test with SSL Labs SSL Server Test.

What's Next

Learn how authentication verifies user identity before granting access to your API.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro