Transport layer encryption

Redirect FOP uses HTTPS (TLS) for transport layer security.

Transport layer encryption with HTTPS

All API endpoints must be served using HTTPS with TLS 1.2 or higher. API clients must have common name (CN) checking turned on and the server's CN or wildcards must match the hostname.

We strongly recommend using a certificate issued under a root certificate included in the Mozilla CA certification program to reduce the level of maintenance necessary to keep this connection healthy. However, if necessary, we do allow partners to issue self-signed certificates that we can trust.

Cipher suites

The server must support at least one of these cipher suites and should not support cipher suites outside of the following set:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256