Authorization request header Vs POST request body for credentials

Question

Which is the right approach to send user credentials from the front end to the backend server? I see examples where some developers use the authorization headers and some pass the credentials in the POST body.

Answer 1

Credentials usually go to the request body once, when trying log in. You should receive a token in return, although whether you send this token via HTTP header, request body or as a GET param is up to you ( or the protocol you are implementing ).

It's generally a good practice to use the header, because GET requests shouldn't include request body and passing the token as a GET parameter may not always be an option ( e.g. due to the token appearing in various logs ).

Either way, I would advise you to avoid trying to implement your own protocol and use an existing standard instead.

Answer 2

The only safe method for a website to transfer a password to the server is using HTTPS/SSL. If the connection itself is not encrypted, a ManInTheMiddle can modify or strip away any JavaScript sent to the client. So you cannot rely on client-side hashing.

Moreover always use headers for sending sensitive data like USER-ID, API-KEY, AUTH-TOKENS You can refer to this stack question also link for more information and this link