HTTPS is good but it's not good enough for web api context because it only protects client-server communications.
Prompting the user is good but it's not good enough for web api context because users can't be fully informed by a one line prompt.
I was asked to help my mother in law with her PC. When I looked at the screen it was half covered by W10 notifications from web sites. I asked her, how do you use this. And she sad, I don't know how that happened and I don't know how to stop it. Of course she gave permission but she could not understand how bad web sites would abuse notifications so she couldn't make a fully informed decision . It was sad. I turned all off.
Now, developers will say that it's impossible to fully inform a user but when that's the case should we really push that anyway to the user?
Hmm, at least it's easy for someone else (you) to help her fix it?
This is a bit of a tangent, but as tech support workers soon learn, it's unrealistic to expect everyone in a large pool of users to be independent of tech support. We have a myth of competent independence that works for some but it's not reality.
This goes double when your business includes retirees. As people age, many businesses have to figure out how to handle cognitive decline and death of their customers gracefully. (I'm thinking financial institutions in particular.)
Browsers try to make the open web safe for everyone, but it seems to be based on the median user and many users are well below average.
Prompting the user is good but it's not good enough for web api context because users can't be fully informed by a one line prompt.
I was asked to help my mother in law with her PC. When I looked at the screen it was half covered by W10 notifications from web sites. I asked her, how do you use this. And she sad, I don't know how that happened and I don't know how to stop it. Of course she gave permission but she could not understand how bad web sites would abuse notifications so she couldn't make a fully informed decision . It was sad. I turned all off.
Now, developers will say that it's impossible to fully inform a user but when that's the case should we really push that anyway to the user?