I built a REST API using PHP and added OAuth2 for authentication. The API runs over HTTP right now. My frontend app (built with Angular2) needs to call various endpoints from this API, mostly for getting data.
Here’s how the auth flow works: the frontend sends username, password, and API key in the request headers to my OAuth2 endpoint. The server returns an access token that gets used for subsequent requests.
I’m worried about security here. What if someone opens browser dev tools and sees these credentials or tokens being sent? Could they copy this info and make their own API calls?
Is there any way to make this setup more secure without switching to HTTPS? Or do I absolutely need SSL certificates to protect sensitive data in transit?
Wait, is this HTTP setup temporary for dev work or are you keeping it long-term? What’s blocking you from getting SSL - cost, complexity, or something else? If we know what’s stopping you, we can probably suggest better workarounds than forcing HTTPS.
Honestly mate, securing API calls without HTTPS is like locking a paper door. Hash or encrypt client-side all you want - anyone can still intercept and replay those requests. I’ve watched devs try weird workarounds. They all fail eventually. Just get SSL. It’s not 2010 anymore - certificates are basically free now.
You absolutely need HTTPS for production. There’s no way around it when you’re sending credentials and tokens. Browser dev tools aren’t even the real problem - it’s network sniffing, man-in-the-middle attacks, and packet inspection that’ll kill you when credentials travel in plaintext. I learned this the hard way on a client project. We deployed over HTTP thinking we’d add extra encryption layers later. The security audit immediately flagged it as critical. SSL certificates are cheap and easy now - Let’s Encrypt gives you free ones with auto-renewal. Even with HTTPS, add short token expiration, refresh token rotation, and rate limiting. But these just supplement SSL, they don’t replace it. Your OAuth2 setup is solid, but it’s useless without proper transport security.