I am creating an API intended for use by Javascript clients hosted in different domains through CORS requests.
My API is only available through HTTPS.
I would like to restrict access only to those Javascript clients that are also accessible from HTTPS domains.
Reading the CORS specification - http://www.w3.org/TR/cors/#user-agent-security - it seems that most user agents automatically prevent HTTPS client requests for HTTP API requests.
Is it possible to demand the opposite - i.e. prevent HTTP clients from accessing my HTTPS-API?
source
share