Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sending passwords over HTTPS: GET vs POST

Tags:

rest

https

I'm creating a headless API that's going to drive an Angular front end. I'm having a bit of trouble figuring out how I should handle user authentication though.

Obviously the API should run over SSL, but the question that's coming up is how should I send the request that contains the user's password: over GET or POST. It's a RESTFUL API, so what I'm doing is retrieving information meaning it should get a GET request. But sending the password over get means it's part of the URI, right? I know even a GET request is encrypted over HTTPS, but is that still the correct way? Or is this a case to break from RESTFUL and have the data in the body or something (can a GET request have data in the body?).

like image 444
Rohit Avatar asked Jul 27 '17 13:07

Rohit

People also ask

Is it OK to send password over HTTPS?

Quick Answer:It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password.

Why you shouldn't send passwords in a GET request?

Description: Password submitted using GET method They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Is HTTP POST more secure than GET?

GET is less secure than POST because sent data is part of the URL. POST is a little safer than GET because the parameters are stored neither in the browser history nor in the web server logs.

Should login be GET or POST?

In the case of logins, that would be ALWAYS use post. GET is for GETTING information from the server. POST is for POSTING information to the server.

1 Answers

If you pass the credentials in a request header, you will be fine with either a GET or POST request. You have the option of using the established Authorization header with your choice of authentication scheme, or you can create custom headers that are specific to your API.

When using header fields as a means of communicating credentials, you do not need to fear the credentials being written to the access log as headers are not included in that log. Using header fields also conforms to REST standards, and should actually be utilized to communicate any meta-data relevant to the resource request/response. Such meta-data can include, but is not limited to, information like: collection size, pagination details, or locations of related resources.

In summary, always use header fields as a means of authentication/authorization.

like image 77
Joshua Jones Avatar answered Sep 17 '22 22:09

Joshua Jones
Sign in to Comment

Related questions

Client-server synchronization over REST
How should I handle backoff or "Wait and Retry" logic in a C# application when an exception occurs?
Reading REST Service with SAPUI5
Codeigniter RESTful API - {"status":false,"error":"Unknown method."}
How to secure a Spring RESTful webservice for Angular.js or Ember.js
Best HTTP Method for Get or Create
Authentication/authorization in JAX-RS using interceptors and injection
Download file with a REST request needing headers and giving the content
Spring Boot - @ConditionalOnExpression for @RestController
Laravel 5 REST client CRUD
Introspecting Jersey resource model Jersey 2.x
django rest-auth get user profile
How to design REST API for export endpoint?
Null values on swagger JSON file
Django rest framework: serializers.ReadOnlyField() doesn't display field in browsable api
Spring Social Authentication Filter for Stateless REST Endpoints which use Facebook Token for authentication
How to secure a RESTful API in Spring Boot without mantain a jsessionid
JWT (JSON Web Token) if someone sniff the token, could send the same Post?
Correct way of defining REST endpoints for user management
What belongs to the Controller-layer, what to the Service-layer?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!