[Hizonner]

Why not just stop listening on port 80, period?

[Pesthuf]

It’s a good option, but you can’t give users a reason for the failure. They might even assume your service is broken.

[booi]

I stopped listening on port 80 for everything… nobody’s complained yet! Maybe because they can’t find the service though.

[inopinatus]

I think it's fair to assume j. random user isn't typing "http://api.example.net" into their web browser.

leading www perhaps, leading api no.

[tracker1]

You'd be surprised... generally if there's a dedicated hostname for the API, I would expect / to either display or redirect to API docs.

Also, doesn't help when you're reverse proxying /api to $API/api

[inopinatus]

Posting on this forum means you are probably not J. Random User. I mean specifically anyone who will not grasp the difference between http:// and https://api.example.com.

[freedomben]

I've done that myself and have consumed many others who have done it, and I don't think it's better. Much better to get a response that tells you to use https for the API. (for browser also a redirect is a must for UX, though our context here is API)

[ikiris]

Because the whole point is a mitm can compromise it, and the mitm can listen on 80 regardless if you turn yours off.