Perhaps you have something else in mind and/or I'm misunderstanding here, but if you are accessing "secure" information via plain HTTP, isn't that about the equivalent of an API that would render the whole security assumption moot?