API Key should not be passed as a parameter #1349
Comments
|
@philippeluickx Where and what kind of change are you proposing/expecting? |
|
@bajiat Common practice is to use HTTP headers for authentication. Changes should be minimal to implement this. |
|
@philippeluickx Still unclear about the impact about this issue. Where in the UI does this occur? |
|
Impact would be how we pass information to the developer (user) of an API. Otherwise no impact in UI. |
|
This approach is implemented here. |
|
@frenchbread so do we have multiple options (and parameter is the default) or is this something new? |
|
@philippeluickx Did not really got your question. Meteor's |
|
Ok, right. So you basically mean that if we want to implement using Headers instead of parameters, this is pretty standard behaviour? |
|
@philippeluickx Yep. |
|
@philippeluickx If we want really be secure about this we could set "pass API key header" as default, otherwise Umbrella accepts both anyway. What you think? |
|
@jykae Sounds good to me. Default to the more safe behavior, but leave the other options open. |
Adding keys in URL is not a safe practice. It stays in (browser) history and call logs. (It is secured though: https://groups.google.com/forum/#!forum/api-craft)
Better option is to pass the key in the header of the requests, e.g. authentication header.
edit: found that URLs are secure, but still best practice to not include sensitive data in URLs
Edited by bajiat:
Definition of done:
The text was updated successfully, but these errors were encountered: