[OSM-dev] Usage of the standard dev server

markus schnalke meillo at marmaro.de
Wed Feb 3 21:51:45 UTC 2016


> Adding https is also a bit tricky at the moment I think, but should be 
> possible if/when we switch to letsencrypt.

That would be great and important, because HTTP Basic Authentication
should not be done unencrypted. In developing an editor, one would want
to ensure that the API is always called via HTTPS, if HTTP Basic Auth is
to be used. Testing such an editor is thus not possible with the testing

Furthermore, the relevant section in the API spec does not mention the
need to use HTTPS:
Actually, none of the terms `https', `ssl', `tls' and `encryption' does
appear in the spec. Of course, this is not the topic of the API spec,
but with respect to the danger of an editor developer missing the need
to use https, it seems to be worthwhile to add a note there.

I can provide some text pieces if that would be helpful. (Didn't wanted
to modify the API document uninvited ...)


More information about the dev mailing list