HTTPS across technical endpoints #1
Description
onX defines the message, but it doesn’t define that the message must be transmitted securely. We need to explicitly require HTTPS/TLS (or equivalent) so commands can’t be sent in plaintext.
Details
onX is transport-agnostic and does not mandate a specific network protocol. However, all onX message exchanges MUST be transmitted using a secure transport that provides confidentiality and integrity appropriate for production use.
When onX messages are transported over HTTP-based protocols, implementations MUST use HTTPS with TLS 1.2 or higher. Clients MUST validate TLS certificates and MUST NOT disable certificate verification in production environments.
Plaintext HTTP MAY be used only for local development and testing (e.g., localhost) and MUST NOT be used across untrusted networks. Non-HTTP transports MUST provide equivalent security guarantees.