I am currently working on a one-page application that talks to a REST api hosted on a different server and secured by SSL.
I am wondering if I should install an SSL certificate on a server that serves a single-page application, or just install it on a server on the rear panel, considering the following:
A single-page application is the endpoint for password reset links with a confidential token in the query string. These links are emailed to my users. When a user clicks on a link, his browser requests a one-page application. Therefore, the GET request is NOT encrypted and is not a query string.
Then the application asks the user to enter a new password, and this new password is sent via ajax to the rear end, which is SSL protected.
So, I believe that it is worth setting up SSL for my one-page application in order to ensure security for the first review, because the GET request is therefore NOT encrypted, and it is also not a query string, and the token is confidential. However, this would not be necessary if only the second consideration was taken into account, since the connection between the single-page application and the rear end is via SSL (since the single-page application uses Ajax to communicate with the SSL-protected endpoint).
I'm right? Or completely distracted? Thanks!