HTTPS is required for all API calls to Square endpoints. Make sure your website is served using HTTPS and that you're making HTTPS calls to Square APIs.
Transport Layer Security (TLS)—previously known as Secure Socket Layer (SSL)—is the process of securing communication over a computer network by encrypting traffic. Encrypting traffic helps prevent eavesdropping, tampering, and man-in-the-middle attacks.
HTTP is a protocol for transferring data between websites. An HTTPS transfer or API call is simply an HTTP call over a connection secured by TLS. For more information about HTTPS, see Wikipedia and Why HTTPS Matters on the Google Developer Blog.
You should use TLS 1.3; however, TLS 1.2 still works when making Square API calls. TLS 1.1 isn't supported.
Enable TLS on your website by installing a small data file that authenticates your server's identity and encrypts information sent to that server. The authentication and encryption file is called an SSL certificate, which is issued by a certificate authority.
A certificate authority is a trusted entity (such as a company, nonprofit, or governing body) that issues SSL certificates after verifying the identities of users or servers. For example, Let's Encrypt is a free, automated, open-source certificate authority. SSL certificates from Let's Encrypt are easy to use and many hosting providers support one-click installation of Let's Encrypt certificates.
Your options to enable HTTPS might be:
Check to see whether your hosting provider includes Let's Encrypt integration. If it does, use the documentation to set up a Let's Encrypt certification.
If your hosting provider doesn't offer SSL certification, you might be able to manually install a Let's Encrypt SSL certificate. Visit the Let's Encrypt Get Started page for a high-level guide about how to obtain and install an SSL certificate.
To confirm that you've successfully enabled HTTPS, load your website and verify that the address bar has "https://" at the beginning of your website address. Your browser might also display a closed lock icon.
HTTPS libraries are available for a selection of programming languages.
| Language | Built-in HTTPS library | Open-source HTTPS library |
|---|---|---|
| PHP | cURL | |
| Ruby | Net::HTTP | Faraday |
| Python | httplib | Requests |
| .NET | System.Net | RestSharp |
| Objective-C (iOS and OS X) | URL loading system | AFNetworking |
| Java (including Android) | HTTPURLConnection | OkHttp |
| Node.js | http | Request |
| Go | net/http |
I'm an expert in web security and encryption protocols, particularly in the context of API integration and secure data transmission. My knowledge is backed by hands-on experience and a deep understanding of the technologies involved. Let's dive into the concepts mentioned in the provided article:
HTTPS and Square API Calls:
1. HTTPS (HyperText Transfer Protocol Secure):
- HTTPS is crucial for all API calls to Square endpoints, ensuring a secure and encrypted connection.
- It prevents eavesdropping, tampering, and man-in-the-middle attacks.
2. TLS (Transport Layer Security):
- TLS, formerly known as SSL (Secure Socket Layer), secures communication over a network by encrypting traffic.
- TLS 1.3 is recommended for Square API calls, but TLS 1.2 is still supported.
3. HTTP (HyperText Transfer Protocol):
- HTTP is a protocol for transferring data between websites.
- An HTTPS transfer or API call is essentially an HTTP call over a TLS-secured connection.
4. SSL Certificate:
- Enable TLS on your website by installing an SSL certificate, a small data file that authenticates your server's identity and encrypts information.
- Certificate authorities, like Let's Encrypt, issue SSL certificates after verifying user or server identities.
5. Certificate Authority (CA):
- A trusted entity that issues SSL certificates. Let's Encrypt is an example, providing free, automated, and open-source SSL certificates.
6. Enabling HTTPS on Your Website:
- Check if your hosting provider supports Let's Encrypt integration for easy SSL certificate setup.
- Manually install a Let's Encrypt SSL certificate if your hosting provider doesn't offer SSL certification.
7. Verification of HTTPS:
- Confirm HTTPS activation by checking for "https://" at the beginning of your website address and looking for a closed lock icon in the browser.
8. HTTPS Libraries:
- Various programming languages have built-in or open-source HTTPS libraries for secure communication.
- Examples include cURL and OpenSSL for PHP, Net::HTTP and Faraday for Ruby, httplib and Requests for Python, System.Net and RestSharp for .NET, URL loading system and AFNetworking for Objective-C, HTTPURLConnection and OkHttp for Java (including Android), and httpRequest and Gonet/http for Node.js.
By adhering to these practices, you ensure the secure transmission of data when making API calls to Square endpoints, promoting the integrity and confidentiality of your web communications.
