API key in header or URL

Front Page Forums Webmasters API key in header or URL

This topic contains 1 reply, has 1 voice, and was last updated by  Daved Daly 7 months, 1 week ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5229 Reply

    James

    We have had a user raise a query about the security of sending the API key in the URL of a query.

    I hope they don’t mind me quoting directly:

    “Your REST API uses API keys in URL. This has several security flaws and you should in general never send sensitive data inside a URL. It is common practice to send API keys in HTTP Authorization headers.
    Here is an article about query parameters over HTTPS and their security flaws:
    http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

    We potentially could either force users to use header authorization only (most secure). Or allow it as an option where users can either use the URL or the request header. I’ve never heard of this kind of thing being exploited in the wild but with financial transactions we need to be as careful as possible.

    Anyone have any comments or suggestions on this?

    Thank you to the user who sent this in, who will remain anonymous, unless they wish to comment publicly.

    #5273 Reply

    Daved Daly

    This is definitely NOT best practice…
    but realistically, unless you fear the NSA decrypting your SSL cert this doesn’t matter much.

    but it would provide protection for when you get hacked and someone having easy access to the data from web server logs.

Viewing 2 posts - 1 through 2 (of 2 total)
Reply To: API key in header or URL
Your information: