api.data.gov migrating to all-HTTPS
9 views
Skip to first unread message
Eric Mill
Apr 2, 2015, 3:40:33 PM4/2/15
to us-government-apis
Hi all,
--
I wanted to shout out some leaderly work on Nick Muerdter's part, on officially kicking off api.data.gov's migration to all HTTPS:
Migrating to HTTPS is something Nick has been open and enthusiastic about doing for a long while, but of course, migrating an API with a substantial user base is a much different than migrating a website. Nick's starting off by enforcing HTTPS for all new APIs that join the system, moving the api.data.gov website itself over to HTTPS, and adding a "transition mode" for existing APIs.
One particularly clever thing Nick is doing is allowing transitioning APIs to force new API keys to only be used over HTTPS, even for existing APIs. I had never thought of that, and that's a great way of capping the surface area of legacy clients that will need to migrate for the eventual hard switch.
Many on this list may have already seen, but part of the impetus here is the federal government's proposed HTTPS-only standard (which full disclosure, I helped with). The proposal, which is receiving public comment now and will hopefully be finalized in the near future, is extremely blunt and broad, and includes both websites and APIs.
Using HTTPS for all interactions, not just "sensitive" content, can be a real mindset shift for a lot of people. While the federal government is demonstrating leadership on the subject, it's important to understand that this is what the Web, and the Internet generally, are pushing for across the board.
The proposal above has some (definitely incomplete) guidance on migrations, including a page on moving APIs. Some of it is adapted from my experience at migrating Sunlight's Congress API. We'll definitely be fleshing it out with api.data.gov's experience, and I encourage anyone else making the move to help feed their experience back into documentation and resources for others.
Hats off to Nick M and to the api.data.gov project for making a strong commitment and finding clever ways to move to HTTPS!
-- Eric
Reply all
Reply to author
Forward
0 new messages