Every API MUST require secure connections with TLS 1.2. That is, an API using the HTTP protocol MUST use HTTPS.
Any non-TLS requests SHOULD be ignored. In HTTP environments where this is not possible, a non-TLS request SHOULD result in the 403 Forbidden response.