Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When looking at the differences between X-Auth-Token vs Authorization headers, which is preferred?

Tags:

http-headers

http

spring-restcontroller

What is the difference between the two headers below?
Which one is preferred?

  1. X-Auth-Token : dadas123sad12

  2. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

like image 648
Deepak Avatar asked Aug 18 '16 11:08

Deepak

People also ask

What is X Authorization header?

The header X-Auth-Token is designed to authenticate request that doesn't contain secure cookie. e.g., API requests from notebook.

What headers are used in authentication and Authorization?

The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.

Why do we use authentication only in headers?

This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data.

What is Authorization header token?

It is an HTTP authentication scheme that involves security tokens called bearer tokens. As the name depicts “Bearer Authentication” gives access to the bearer of this token. The bearer token is a cryptic string, usually generated by the server in response to a login request.

1 Answers

Authorization is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235. It is often linked to the Basic authentication scheme as per RFC 7617, but that is not a given.

The Basic scheme allows clients to provide a username-password-pair separated by a colon (:) coded in Base64. It cannot be stressed enough that this is a transport coding that provides no real security benefits. E.g. the example given by you can trivially be 'decrypted' into Aladdin:open sesame.

Through the IANA HTTP Authentication Scheme Registry (see also: RFC 7235, sec. 5.1) you will find the Bearer scheme (defined in RFC 6750), which is closely tied to OAuth 2.0. X-Auth-Token is pretty much providing a shortcut here as it (presumably) does not rely on either OAuth or the HTTP authentication framework.

Please note that with X-Auth-Token being an unregistered header, it is subject to no formal specification and its presence and content is always tied to a respective application. No general assumptions can be made on it.

like image 163
DaSourcerer Avatar answered Oct 07 '22 03:10

DaSourcerer
Sign in to Comment

Related questions

What does the HTTP header If-None-Match: * mean?
What is the exact difference between content-type: text/json and application/json?
Examine http response headers in IE8
What headers are automatically sent by wget?
What is default timeout value of RestSharp RestClient?
How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?
Is the HTTP 'HEAD' verb useful in web development?
Get "Content-Type" header of request in PHP
Large file upload though html form (more than 2 GB)
TCP Vs. Http Benchmark
Get the whole response body when the response is chunked?
asp.net c# redirecting from http to https
angular -- accessing data of multiple http calls - how to resolve the promises
Easy HTTP requests with gzip/deflate compression
HTTP "Content-Disposition: attachment" and downloading files on iOS web browser
node.js server and HTTP/2 (2.0) with express.js
What does it mean http request body?
caching JavaScript files
"Cannot GET /" with Connect on Node.js
Why "Content-Length: 0" in POST requests?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!