I am going to create a post request and I am using token why i have to put the token into headers instead of request body? My understanding that body is more secure than http-headers is it so?
or only the reason to put token into headers is to separate and maintain consistency among multiple methods in our API's
A HTTP body (request) body is the one which carries actual HTTP request data (including form data and uploaded etc.) and HTTP response data from the server ( including files, images etc). While HTTP Request header header can't not contain actual data like as above.
HTTP security headers are a fundamental part of website security. Upon implementation, they protect you against the types of attacks that your site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc.
Why HTTP Security Headers are necessary ? As you know, nowadays too many data breaches are happening, many websites are hacked due to misconfiguration or lack of protection. These security headers will protect your website from some common attacks like XSS, code injection, clickjacking, etc.
An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value.
Header is more convenient for the server.
Imagine an API where you upload a file as a body for PUT - if token was also in body, you'd have to deal with encoding the body some way to make it clear what is the token and what is the uploaded file.
If body is JSON, you could put token next to the body (in which case you can't just JSON.parse it, you need to again decode how they fit together) or you can bury the token inside the JSON (in which case you have to download the entire JSON and parse it before you can get at the token).
A header can be accessed before the body is downloaded - so if a malicious agent is performing a DoS attack on your server by sending you tons of 100Mb requests, you can detect the lack of proper authorisation as soon as the headers are received, and shut down the connection without having to download and analyse the 100Mb payload.
I can't see any benefit of having token in the body, as opposed to in the header.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With