HTTPS access to the REST API

By default, access to the REST API is over HTTPS only and HTTP access is not permitted. An attempt to access any of the API endpoints (with the exception of /api/about and /api/version) over HTTP results in a 403 Forbidden error:

curl -i http://appliance/api/about

HTTP/1.1 403 Forbidden
{
    "message"   : "Access forbidden",
    "code"      : 403,
    "transient" : false
}

On a new appliance, HTTPS should be configured before attempting to access the API (including submitting requests using the Swagger UI).

On the HTTPS configuration page, you can enable API access over HTTP, but this is not recommended in production and should only be used for testing purposes. API requests contain your Authentication token in an HTTP header, and this is passed in plain text when using HTTP.

For the same reason, if the appliance is configured to redirect HTTP requests to HTTPS, API access over HTTP cannot be enabled. This is to avoid the illusion of security, where the initial request to the API is transmitted in plain text; containing either your API token or a username and password combination, if you are accessing the /api/token endpoint.