Menu
The client sends HTTP requests with the Authorization header that contains the Basic word followed by a space and a base64-encoded username:password string. For example, a header containing the demo / p@55w0rd credentials would be encoded as: Authorization: Basic ZGVtbzpwQDU1dzByZA==
The main point was that urls get logged by intermediate servers more frequently and thus sensitive information could appear in logs. If we continue this idea for headers/body , I would suggest that headers are more likely to be logged if compared to body.
The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.
HTTP supports the use of several authentication mechanisms to control access to pages and other resources. These mechanisms are all based around the use of the 401 status code and the WWW-Authenticate response header. The client sends the user name and password as unencrypted base64 encoded text.
Which is the right approach to send user credentials from the front end to the backend server? I see examples where some developers use the authorization headers and some pass the credentials in the POST body.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With