Even if the call to the lookup endpoint is done using HTTPS, the redirect will be to HTTP.
For example: https://api.tvmaze.com/lookup/shows?thetvdb=264492
Is redirected to: http://api.tvmaze.com/shows/1
Even if the call to the lookup endpoint is done using HTTPS, the redirect will be to HTTP.
For example: https://api.tvmaze.com/lookup/shows?thetvdb=264492
Is redirected to: http://api.tvmaze.com/shows/1
Yeah, this isn't great but I'm afraid you're stuck with it for the time being. HTTPS requests aren't cached separately from HTTP requests, but using a relative URL in the HTTP location is semi-unsupported so there's no possible value that's sane for both HTTP and HTTPS.
If you need to work around it, you could use e.g. CURLOPT_FOLLOW = false, and manually fetch CURLINFO_REDIRECT_URL.
Just noticed that the other links in API calls are always HTTP as well, such as images and _links.previousepisode.href
Could this be changed so that the JSON is returned with links as HTTPS?
Yeah, for the same reason, caching/resources. I already wrote about this in the original announcement :)
I'll likely flip that around once more than 50% of the API requests uses HTTPS.