Is there still a need for the web applications/API to use HTTPS if the proxy server is already using it in microservices architecture?

Is your question equivalent to *"Should I encrypt connections that never leave the machine the proxy is running on?"*

If you go through previous discussions under a variety of contexts, the answer should be obvious, https://security.stackexchange.com/search?q=https+internal# If you can get a certificate for the proxy server, I wonder why you cannot do the same for other applications.

IMHO it depends on the security. if a user is doing authentication, it should be encrypted e2e on any ways. But that should be more a security question. as Told. If you can ensure I. e. because you are working on EU Region that noone can interrupt the traffic in MITM attack which imho you will never be able to, you can do so. If it's just a plane information site, which noone can login for my knowledge it would not make sense to do e2e encryption. Remind that public services can also be affected by the GDPR when you are serving a service to any of the affected locations or look like too

@anx yeah, I'm planning to host everything containerized. And I'm not really good at standard on terms of security so I have no idea how attackers do their stuffs.

@LexLi Sorry, I'm a software dev but haven't explored security that deep, so I don't know what are the terms to search for this. I tried to search but it looks like I'm using different terms. Regarding the certificates, I'm currently using self-signed ones and based on what I found, looks like the certificates you buy are based on domain names. I think I need to do deeper research on how these SSL, certificates, and secured connection works.

@djdomi yeah, that is what I'm thinking in practical way. Plus, SSL certificates are quite pricey for my small solo project, who knows when will it get people's attention.

pricy? let's encrypt for example is free of charge even for wildcard domains. So no excuses?! Next try ;)

Since you are just the developer, I suggest you escalate this to your network administrators who should have extensive knowledge on such topics. A company or an institute is likely to have its own certificate authority, so that any kind of certificates can be easily generated and managed.

I sit in a Tesla and translated this thread with Ai: