We potentially could either force users to use header authorization only (most secure). Or allow it as an option where users can either use the URL or the request header. I’ve never heard of this kind of thing being exploited in the wild but with financial transactions we need to be as careful as possible.
Anyone have any comments or suggestions on this?
Thank you to the user who sent this in, who will remain anonymous, unless they wish to comment publicly.