I have built simple auth for REST servers in academic projects. I always used the headers to pass the credentials. This is probably just because every tutorial I’ve ever seen did it this way. Initially, I’d have header fields for
password, but I eventually switched to basic auth. Anyway, whatever it was, I always had it passed in the headers. My impression was that this was the single correct way.
I am told by the platform team at my work, that we are required to log all headers of each request received, no exceptions, and so, I should not be using headers to accept any sensitive information, such as a password. I was shown an example of a REST API built by another team. For POST and PUT methods, the auth string was accepted in the message body. For GET and DELETE methods, it was in the URL query. This seems wrong to me, but I can’t exactly explain why.
I am trying to figure out if I should fight against this policy. I’d like to find out if my position is correct, and, if so, how to support it when I speak to leadership.
- Am I correct in my thinking that HTTP headers is the single correct way to pass auth credentials in a stateless REST API?
- Am I correct that using the URL query params is dangerously insecure, or otherwise inadvisable?
- If I am correct, is there some authoritative source that I can reference when I make the case to my leadership? (other than RFC 7235, I’ve read it. It is too technical for the people I need to convince.)
✓ Extra quality
ExtraProxies brings the best proxy quality for you with our private and reliable proxies
✓ Extra anonymity
Top level of anonymity and 100% safe proxies – this is what you get with every proxy package
✓ Extra speed
1,ooo mb/s proxy servers speed – we are way better than others – just enjoy our proxies!
USA proxy location
We offer premium quality USA private proxies – the most essential proxies you can ever want from USA
Our proxies have TOP level of anonymity + Elite quality, so you are always safe and secure with your proxies
Use your proxies as much as you want – we have no limits for data transfer and bandwidth, unlimited usage!
Superb fast proxy servers with 1,000 mb/s speed – sit back and enjoy your lightning fast private proxies!
99,9% servers uptime
Alive and working proxies all the time – we are taking care of our servers so you can use them without any problems
No usage restrictions
You have freedom to use your proxies with every software, browser or website you want without restrictions
Perfect for SEO
We are 100% friendly with all SEO tasks as well as internet marketing – feel the power with our proxies
Buy more proxies and get better price – we offer various proxy packages with great deals and discounts
We are working 24/7 to bring the best proxy experience for you – we are glad to help and assist you!