Is https secure for api interfaces?

It has always been known that https is safer than http, and the transmitted data is encrypted balalabala... Does my api use https to encrypt and decrypt messages in the program? If the security score is out of one hundred, the following scores will be set to a fraction of 1, using http2 directly, using http,... it has always been known that https is safer than http, and the transmitted data is encrypted balalabala...
Does my api use https to encrypt and decrypt messages in the program?
If the security score is out of one hundred, the following scores will be a few points
1. directly use http
2. use http, but use the encryption and decryption function to encrypt and decrypt data.
3. use https
4. use https and use the encryption and decryption function to encrypt and decrypt data.

Reply content:

It has always been known that https is safer than http, and the transmitted data is encrypted balalabala...
Does my api use https to encrypt and decrypt messages in the program?
If the security score is out of one hundred, the following scores will be a few points
1. directly use http
2. use http, but use the encryption and decryption function to encrypt and decrypt data.
3. use https
4. use https and use the encryption and decryption function to encrypt and decrypt data.

1 = 50 points, no security, API content will be transmitted in plain text, and easy to be hijacked
2 = 60 points, encryption and decryption functions will have many issues to consider. if only symmetric encryption is used, it is actually not much safer than solution 1.
3 = 90. In fact, this method should be called TLS. it is safe enough. for details about the security mechanism, refer to this article.
4 = 80 points. since TLS has been implemented, another encryption operation will not improve the complexity of the cracking, but will result in a loss of performance.

The cost-effective method must be 3, https
If your api requires a lot of security requirements, you can use https + to implement encryption and decryption on your own.
I mean don't over-optimize it. if it is really necessary, it depends on your business scenario.

Https involves the encryption and decryption process, asymmetric encryption, and symmetric encryption, which takes a long time.
Therefore, using https for the same interface is certainly slower than http, and the speed is several to several dozen to several hundred milliseconds. you can test this by yourself.

The problem solved by HTTPS is not only encryption, but also authentication. it proves that the server is actually the server you want and your own encryption is not very useful.
If it is assumed that the network is insecure, no matter how you encrypt it, it will be useless. The key will be invisible from the very beginning.
Asymmetric Encryption may still be useful. it is safe to switch the key, but HTTPS has been implemented. What else can I do?

Is there any way to prevent web page sniffing passwords (man-in-the-middle attacks )?

I have discussed the security level evaluation from the aspect of encryption. I will express my views on cracker:

1. Direct Visual Analysis

2. Analysis client decryption function

3. Implement proxy forwarding using forged certificates

4. 3+2

Https only ensures the relative security of the transmission process, but it is far from safe.
As long as your code runs on the client, it may be reversed.
What you can do is to complicate client encryption as much as possible...