Webapp should not be accessible from browser on api domain
Using i.e. https://api.demo.bitmask.net:4430/, you can accewss the webapp just like https://demo.bitmask.net (except that it uses a different ssl cert). The api domain should only be accessible to api calls, and not serve the whole webapp.
(from redmine: created on 2014-11-18)