jnbetancourt
commented
7 years ago NASA APIs now enforce strict transport security. Thanks for the suggestion!
Closed martinsuchan closed 7 years ago
jnbetancourt
commented
7 years ago NASA APIs now enforce strict transport security. Thanks for the suggestion!
For better security and for preventing various Protocol Downgrade Attacks the endpoint api.nasa.gov should enforce HTTP Strict Transport Security - add response header indicating that all communication should always happen on HTTPS. Since api.nasa.gov works already only on HTTPS, adding HSTS should not break anythng, only imrpove the security for all the clients. For more details about HSTS please check this article: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security