An organization's security policy will provide a more concise guide on whether to use HTTP or HTTPS to access an API. However, the following guidelines should generally be applied:
- Always use HTTPS if there is doubt regarding security
- Use HTTPS if the header or body is carrying data that is commercially sensitive (such as pricing data or financial transactions) or personal data
- If the external communication is via HTTPS then the internal security should also utilize HTTPS