Security issue: API should not be available via plain HTTP

[leandrosansilva]

First of all, thank you a lot for offering such service as an alternative to the paid IMDB API.

I just created an key to play around the API and noticed that all the interaction has been done via plain HTTP connections, from browsing the website, submitting the key registration form, and activating the key.

Luckily I used a disposable e-mail address.

In practical terms, using plain HTTP means that the sensitive information is public, no longer being sensitive, which is a huge security issue. This is IMO a severe security issue.

Awkwardly enough, the API, as well as the website do work over HTTPS, which prevents such security issues (at least on the public side of the application), so I really believe the documentation should change to tell users to simply use the https:// version of the endpoints.

Furthermore, the http endpoints could IMO be disabled, maybe even returning an error warning the users that their keys have been leaked and that they should change create a new key and use the HTTPS endpoints. I don't think a HTTP redirect suffices here in terms of security.

Evidence:

[amankanz]

How to Fix the Issue: Update the API URL to Use HTTPS: Change the API URL in your code from http:// to https://. The OMDb API supports HTTPS, so this change should work without any further modifications.

[mariokreitz]

maybe consider to change it in the example too ? :D so user wont get confused. still no changes as far as i know