[emteycz]

Everything (including links to external sites) should be on HTTPS. Browsers will error if you try to load JS assets from HTTP on a HTTPS site.

Don't use HTTP for API even if you could. Usually servers will return status 301 (client-side redirect) directed to the same URL but using HTTPS to any HTTP request.

Don't mix hostnames - do coolstore.com/api instead - that frees you from cross-origin security issues.

[epimetheus2]

sure, but does it need to be disabled? As in, my website will use HTTPS, but HTTP may be still present. Does that open up door for any attack?

[GauntletWizard]

I'm of the (weak) opinion that if you have www.coolapp and api.coolapp, you should have port 80 closed on api. - don't even serve redirects. Any legitimate traffic would be broken anyway, and it prevents you from even accidentally doing something stupid like serving a cookie without secure, or receiving (unencrypted) a token from a misconfigured client.

[emteycz]

It doesn't as long as you handle the HTTP->HTTPS redirect on your proxy (NGINX, Apache, Caddy or similar) and don't pass any of these requests to your backend.

[epimetheus2]

you can copy curl from browser, change https to http and it will work, is that susceptible? The whole react app uses https

[emteycz]

Don't allow any HTTP requests to be passed to your actual backend app, handle them only on the proxy.

For example:

You set up NGINX on ports 80 and 443 and open these ports (TCP for 80 and TCP/UDP for 443) to the internet, and close all other ports. Your backend runs on port 3000, and you configure NGINX to proxy pass coolstore.com/api to said port 3000.

All client-traffic HTTPS is handled on the NGINX proxy (it can also serve your static files very well). Any HTTP requests are sent response status 301 with HTTPS version of request URL.