Reputation: 12900
authenctication token in a queryString
Our current implementation of the REST API uses apiKey inside queryString for all type of request(PUT, POST, GET). I feel it's wrong but can't explain why(maybe the apiKey can be cashed somewhere between server and client). Something like:
POST /objects?apiKey=supersecret {name: 'some'}
So, is it a security problem? Please describe both HTTP and HTTPS connection case
Upvotes: 2
Views: 2974
Answers (1)
Reputation: 1565
HTTP
Your supersecret values can be seen and intercepted by thirdparties whenever you send it from the client to the server or vice versa irrespective of whether you use PUT,POST, etc. This is even true when you use cookies for storing those values instead of query string.
HTTPS:
When the data is in transit between your client and server it cannot be intercepted since its protected by https, even if it is in query string. But most people consider sending data in query string as bad, since many system logs the query strings. For eg most servers are configured to print the access logs with the path & query parameters. Also if its from a browser it can be stored in your browser history.
Upvotes: 7
Related Questions
- API how to use Post QueryString
- Token in query string with Django REST Framework's TokenAuthentication
- Autorest: Authenticating in Query String
- use authentication token in restful C#
- Authorization and the query string in REST API design
- Passing username and password in HTTP GET query parameters
- access token usage in authentication
- REST API authentication tokens
- REST API authentication with query string encryption
- How to implement Querystring authentication