Reputation: 11721
How to send sensitive data to an Asp.net Web API server
I have a Asp.net Web API project.
The project validates all the requests by receiving a parameter named sessionToken
http://myapi.com/api/applications/getApplications?sessionToken=xxx
However, i heard that is not safe to send the sensitive parameters via public urls, and i've seen an example where i can add the sessionToken parameter inside the header of the HttpClient request:
using (HttpClient client = new HttpClient())
{
client.BaseAddress = new Uri("http://myapi.com/");
client.DefaultRequestHeaders.Add("sessionToken", "xxx");
HttpResponseMessage response = await client.GetAsync("api/applications/getApplications");
string stringResponse = await response.Content.ReadAsStringAsync();
}
I am happy that now i can read the parameter without having to put it in the url.
Is it safe to send sensitive data via http request headers? (of course that they will be encrypted at least)
Upvotes: 4
Views: 2452
Answers (2)
Reputation: 4225
Unless the connection is encrypted, I believe sending any sensitive information in url or header is not a good idea. If you want to still send it over unsecured http, use some short of public/private key encryption which can encrypted the data. I have build an application where the url contain some encrypted data which is valid for a short span (for example 2 mins).
Upvotes: 1
Reputation: 3908
You are right that putting security sensitive information on Url is not a good idea. It can lead to information disclosure.
Putting it to header is recommended. Here are some further suggestions:
Use Authorize header instead of custom header. Authorize header is designed for authentication purpose. You can define your own scheme or you can use existing scheme like bearer defined in OAuth 2.0 instead of reinventing all wheels.
Client should always use TLS to protect from MITM attack
Client should always check certificate chain when making request to avoid DNS hijacking attack
Set expiration on token to be short lived to avoid replay attack
Make sure your client code won't store token to unsafe places, which can be access by others
Upvotes: 2
Related Questions
- Ways to secure an anonymous Web API request
- How to securely transfer data from Attribute to Action in asp-net Web API
- Sending sensitive information to REST service
- Security between .NET MVC and WEB API
- how to secure a Web Api
- Protect sensitive data with REST Web Api
- Sensitive data sent over http post in asp.net
- securing data posted to a web api
- Security in Web Api
- Securing Web Services