Is serving Ionic 2 apps with JSON from an SSL?


#1

When serving an Ionic 2 app, is it best practice to do this via a site using SSL?

Security-wise, I’d be interested to here thoughts.

Thanks


#2

If you want your app to be a Progressive Web App (i.e. use Service Workers) then SSL is actually a requirement.


#3

Ah yes, that’s a very good point.

If a PWA is not required, I think if data is being consumed from an open API, e.g. WordPress wp-json, then a non-scure connection is fine. However, if your app is send/receiving sensitive data, obv. SSL is the way to go.

What about posting of data from the app? In a standard JSON data post to an SSL server, wouldn’t the data be non-encrypted/secure until it gets to the server? Is that an issue? If so, is there a method to encrypt data? I know WhatsApp just got stung because their data was not properly encrypted.


#4

Not really specific to Ionic, but I strongly recommend using HTTPS for everything. (The alleged WhatsApp “backdoor”, which is in fact nothing of the sort, had nothing to do with HTTPS anyway.)


#5

Thanks for the advice. All great info :slight_smile:

Would you have any recommendations? I pay for SSL, but have seen things like LetsEncrypt offer free SSL. I did take a look but it looked quite a complicated process…


#6

I don’t think it’s particularly complicated, but it depends somewhat on what your hosting situation is. If you can install certbot on your host, it’s very easy. Even if not, you can generate the certs remotely.


#7

Good to know that you’ve had a good experience. Does CertBot take care of the renewal of the certs too? I hear they have a short expiry.


#8

Fortunate to be one of the beta testers.

Yes.

3 months, but if you have certbot installed on the server, it can autorenew for you.


#9

I have Cpanel with AutoSSL. Does this negate the need for CertBot?


#10

Apple will require (or already is requiring) https for its apps.


#11

Yet another reason then… Thanks @chrisbenseler


#12

Haven’t used it, but looks that way.