Using a RESTful API - Is it secure?

Question

We are partnering with a service provider which exposes their services via RESTful API.

We can authenticate with the API by passing a username and password as URL parameters.

Example: https://example.com/api/service.json?api_user=Username&api_key=Password

I know this is using SSL. However, since the username and password are part of the URL, couldn't this be intercepted by a third party?

Answer 1

No, a third party will only be able to see the destination (example.com). The rest of the URL is actually embedded inside the request.

It helps to understand the process of how an HTTP (or HTTPS) request is made.

1. determine protocol (in this case HTTPS, using port 443)
2. get IP address of server using DNS
3. establish a TCP connection to server (if SSL is involved, it's a bit more complicated)

4. issue a request to server on the new connection which will look something like

   GET /api/service.json?api_user=Username&api_key=Password

Since the actual request is part of the encrypted data stream, there's no way for someone monitoring the connection to extract sensitive information.

Answer 2

The previous answers are both technically correct; if you're using HTTPS, the URL and querystring data will be encrypted prior to transmission and can be considered secure.

However, the fact that an API is asking for a username and password as querystring parameters may indicate a somewhat lax approach to security.

For example, many webservers will log the request querystring parameters by default , which means that your plain-text credentials might be lying around on disk somewhere (and many companies will store, or back up, webserver logs in insecure ways).

In short: passing credentials as querystring parameters isn't a security risk per se, but is generally a bad practice and may be symptomatic of larger security issues.