views:

43

answers:

1

I'm considering what base URL to use for a REST web service. I have the option of using one of the following formats:

  1. https://domain.com/api
  2. https://api.domain.com

I'd like to make it both easy to use from client-side javascript apps and secure against forged request attacks. Is there a best practice to follow here?

+1  A: 

If domain.com is a shared domain then every part should have their own subdomain, and no one should use the main domain, that is a must for keeping all sessions separate.

If domain.com is a private domain it doesn't matter.

eBusiness