Menu
I have noticed that some API have you pass an API key as a url parameter while others have you pass it in the HTTP HEADER. I am developing a web-based application that is going to rely heavily on a REST API and right now I am just having it so the API KEY is pass through as a url parameter.
My question is whether or not one of those options is more secure than the other?
533
In both cases, the API key will be passed unencrypted. So both are insecure unless you use HTTPS.
In practice, HTTP header turns out to be a little bit more secure because -
Aside : A REST API over the web cannot be secured unless you ask the user to login with his credentials. Anybody can easily identify the API key and make requests to your server.
EDIT : In response to @segfault's comments -
A website user generally does not enter an API key. They enter their user name and password, and this is traded to get the API key or access token as it is typically called.
If you force your users to enter the API key instead of user name and password, well, it'd be secure. But as I said, I haven't seen any serious application do that.
More specifically, I meant "If a backend API expects an API key, and you are making AJAX calls from the browser, and you don't ask the user for some sort of credentials, you are insecure"
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
