Securing your API requests

 

For many years our API documentation has included the following note;

PLEASE USE HTTPS (SSL)
The API server will (currently) respond in plain HTTP but you do so entirely at your own risk.
HTTPS is recommended and there is no reason for not using it. You are responsible for anything done with your username and password so please use the tools given to protect them

And the vast majority of customers do use HTTPS, but we still see the odd HTTP request to our API endpoints.

From March 2017, all requests to the Simwood API must be made over TLS (HTTPS)

We’re fast approaching 2017 and there’s been numerous efforts to bring TLS to all of the web; with services such as letsencrypt.org offering free TLS certificates and automated tools to make adding HTTPS to every website easy, and browsers (e.g. Google Chrome) starting to mark all non-https websites as insecure, with a view to move towards a more secure web.

The API is a little different, it’s not a website that you consume with a browser, and we appreciate that some of our customers may be using older libraries to interface with the API and we’ve held off mandating HTTPS at the server level for some time (although some endpoints are HTTPS only)

Behind the scenes we’re working on APIv4, which was designed from the ground up to be HTTPS and JSON format only, but in 2017 there is no reason to continue to maintain unencrypted access to an API.

We’ve given as much advance notice of this change as possible, and the vast majority of our customers will be unaffected, but please check you’re using HTTPS and that your libraries support TLSv1, TLSv1.1, or TLSv2. We will not support requests from clients that only support the older (and insecure) SSLv3 standard.

Please take this more than three months notice to migrate to using https://api.simwood.com. If you are still relying on older libraries, you have plenty of time to upgrade them as this will be a one-way change in March.