Reputation: 11835
HTTP Base64 encoded header
As you know for Basic HTTP authentication, in Authorization Header, Base64 is used to encode the string of the;
username:password
I don't know why HTTP really expects this, but my question is in my Rest web service. If I use a custom HTTP header which I use to keep the userid:token pairs, is that safe to not Base64 them? can I send plain text, as it is?
Note: I use HTTPS, and this is NOT a security question
Upvotes: 0
Views: 7164
Answers (2)
Reputation: 7952
is that safe to not Base64 them?
If you do not base64 encode them, there is a possibility that one of the text characters in the username or password is not a valid HTTP header character. You would need to study the HTTP RFC to ensure that this is not an issue for your application.
For example, does your app allow whitespace within the password? Things like that...
Or you can just base64 encode the username/password and know that you are safe from violating the HTTP protocol.
Upvotes: 7
Reputation: 32407
You can send them in plain text if you want if you're using a custom header.
However if you stick to the Basic HTTP protocol, you'll be able to use standard tools in testing, and clients won't have to add manual extra code to add the header, so I recommend not rolling your own headers if possible.
Upvotes: 2
Related Questions
- Decoding String (from header) encoded by Base64 and RFC2047 in Java
- Base 64 encoding in HTTP Basic Auth
- MimeType missing in Base64 encoded url
- Headers for REST API with optional Base64 encoding
- Base64 Encoding Basic Authentication Header Apache HTTP Client
- Sending java objects as bytes over a http request: is BASE64 necessary?
- Can't solve an issue with HTTP Basic Authentication - Illegal character in message header (resulting from an HMAC encoding)
- HTTp/tomcat base64 encoding
- Base64 decoding returning junk
- java string base64 encoded