From 019282e62fa57d52448364a251b782047127b2c7 Mon Sep 17 00:00:00 2001
From: Axel Nennker <axel.nennker@telekom.de>
Date: Thu, 16 May 2024 15:48:09 +0200
Subject: [PATCH] HTTPs must be always used

confidentiality and authentication methods are separate topics
---
 documentation/API-design-guidelines.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/documentation/API-design-guidelines.md b/documentation/API-design-guidelines.md
index 7644f5ec..a1fc212e 100644
--- a/documentation/API-design-guidelines.md
+++ b/documentation/API-design-guidelines.md
@@ -881,7 +881,7 @@ The following points can serve as a checklist to design the security mechanism o
 1. **Simple Management**. 
    Securing only the APIs that need to be secure. Any time the more complex solution is made "unnecessarily", it is also likely to leave a hole. 
 2. **HTTPs must be always used**. 
-   By always using SSL, authentication credentials can be simplified to a randomly generated access token. The token is delivered in the username field of HTTP Basic Auth. It is relatively easy to use, and you get a lot of security features for free.
+   TLS ensures the confidentiality of the transported data and that the servers's hostname matches the server's SSL certificate.
    - If HTTP 2 is used, to improve performance, you can even send multiple requests over a single connection, this way you will avoid the complete overhead of TCP and SSL on subsequent requests.
 
 3. **Using hash password**.