Securing API with access token

Question

I am not using any kind of SSL and I am wondering the following:

If I have a list of api keys stored in my DB, and I force users who want to consume the API to do the calls with the following HTTP Header:

'Authorization: Token token="c576f0136149a2e2d9127b3901015545"'

And then I check if that token exists. Is it secure to put that in the HTTP header? If not, how could I secure it?

Thanks

Anyone in the middle will be able to read the token. For something serious SSL would be a must, I guess. — miku, May 23 '13 at 10:15
@HommerSmith Yes, SSL encrypts all data you're communicating over that connection, including the headers. — Joachim Isaksson, May 23 '13 at 10:17
@HommerSmith: Yes, See also: [Are HTTPS headers encrypted?](http://stackoverflow.com/questions/187655/are-https-headers-encrypted) — miku, May 23 '13 at 10:17

score 1 · Answer 1 · answered May 23 '13 at 10:21

No, it is absolutely not secure. It suffers from Man-in-the-Middle and replay attacks.

Putting access control mechanisms in HTTP headers is awful because HTTP has no security. That means all data, including passwords, headers, etc. is transmitted in the clear.

When you use SSL, your HTTP request is tunnelled through a secure connection (why it is secure isn't too important here, just assume it is).

Only then, having ensured the whole HTTP communication is secure by tunnelling it through a secure SSL tunnel, can you safely put access control mechanisms in the header. Although if you are using SSL tunnelling then really it doesn't matter where you put the token.

Securing API with access token

1 Answers1