queryString中的身份验证令牌
[英]authenctication token in a queryString
问题描述
Our current implementation of the REST API uses apiKey inside queryString for all type of request(PUT, POST, GET). 
我们当前的REST API实现对所有类型的请求(PUT,POST,GET)使用queryString内的apiKey。 I feel it's wrong but can't explain why(maybe the apiKey can be cashed somewhere between server and client). 我认为这是错误的,但无法解释原因(也许apiKey可以在服务器和客户端之间的某处兑现)。 Something like: 就像是:
POST /objects?apiKey=supersecret {name: 'some'}
So, is it a security problem? 那么,这是一个安全问题吗? Please describe both HTTP and HTTPS connection case 请同时描述HTTP和HTTPS连接情况
1 个解决方案
解决方案1
2 2016-08-18 11:32:58
HTTP HTTP
Your supersecret values can be seen and intercepted by thirdparties whenever you send it from the client to the server or vice versa irrespective of whether you use PUT,POST, etc. This is even true when you use cookies for storing those values instead of query string. 无论您是否使用PUT,POST等,无论何时从客户端向服务器发送超级秘密值,第三方都可以看到和拦截您的超级秘密值。当您使用cookie来存储这些值而不是查询字符串时,这也是如此。 。
HTTPS: HTTPS:
When the data is in transit between your client and server it cannot be intercepted since its protected by https, even if it is in query string. 当数据在客户端和服务器之间传输时,由于数据受https保护,因此即使在查询字符串中,也无法截获。 But most people consider sending data in query string as bad, since many system logs the query strings. 但是大多数人认为在查询字符串中发送数据很糟糕,因为许多系统都会记录查询字符串。 For eg most servers are configured to print the access logs with the path & query parameters. 例如,大多数服务器都配置为使用路径和查询参数打印访问日志。 Also if its from a browser it can be stored in your browser history. 同样,如果来自浏览器,则可以将其存储在浏览器历史记录中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.