-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Key should not be passed as a parameter #1349
Comments
@philippeluickx Where and what kind of change are you proposing/expecting? |
@bajiat Common practice is to use HTTP headers for authentication. Changes should be minimal to implement this. |
@philippeluickx Still unclear about the impact about this issue. Where in the UI does this occur? |
Impact would be how we pass information to the developer (user) of an API. Otherwise no impact in UI. |
This approach is implemented here. |
@frenchbread so do we have multiple options (and parameter is the default) or is this something new? |
@philippeluickx Did not really got your question. Meteor's |
Ok, right. So you basically mean that if we want to implement using Headers instead of parameters, this is pretty standard behaviour? |
@philippeluickx Yep. |
@philippeluickx If we want really be secure about this we could set "pass API key header" as default, otherwise Umbrella accepts both anyway. What you think? |
@jykae Sounds good to me. Default to the more safe behavior, but leave the other options open. |
Adding keys in URL is not a safe practice. It stays in (browser) history and call logs. (It is secured though: https://groups.google.com/forum/#!forum/api-craft)
Better option is to pass the key in the header of the requests, e.g. authentication header.
edit: found that URLs are secure, but still best practice to not include sensitive data in URLs
Edited by bajiat:
Definition of done:
The text was updated successfully, but these errors were encountered: