Reputation: 27852
Securing API with access token
I am not using any kind of SSL and I am wondering the following:
If I have a list of api keys stored in my DB, and I force users who want to consume the API to do the calls with the following HTTP Header:
'Authorization: Token token="c576f0136149a2e2d9127b3901015545"'
And then I check if that token exists. Is it secure to put that in the HTTP header? If not, how could I secure it?
Thanks
Upvotes: 2
Views: 386
Answers (1)
Reputation: 4075
No, it is absolutely not secure. It suffers from Man-in-the-Middle and replay attacks.
Putting access control mechanisms in HTTP headers is awful because HTTP has no security. That means all data, including passwords, headers, etc. is transmitted in the clear.
When you use SSL, your HTTP request is tunnelled through a secure connection (why it is secure isn't too important here, just assume it is).
Only then, having ensured the whole HTTP communication is secure by tunnelling it through a secure SSL tunnel, can you safely put access control mechanisms in the header. Although if you are using SSL tunnelling then really it doesn't matter where you put the token.
Upvotes: 1
Related Questions
- Securing Web API /Token Endpoint
- How do I secure data access in my new API?
- Securing a RESTful API
- How do I secure a REST-API?
- How to correctly secure my api and provide authentification?
- API Design: HTTP Basic Authentication vs API Token
- Secure my API with an API key
- How do I use API keys, and token schemes effectively to secure REST API?
- Secure API Authentication method
- Designing (OAuth2) access token