0

When you use Disqus API on the server side, you have to put 'app_secret' in URLs on every API request. Here is what Disqus doc says:

If you are using the server-side API, you will need to send api_secret with your secret API key value.

(https://disqus.com/api/docs/requests/)

When I call URL like this:

https://disqus.com/api/3.0/threads/list.json?access_token={ACCESS_TOKEN}

I get this error:

{"code":5,"response":"Invalid API key"}

When change URL to this:

https://disqus.com/api/3.0/threads/list.json?access_token={ACCESS_TOKEN}&api_secret={API_SECRET}

It works ok.

I think it is very, very dangerous to use secret key in common GET requests. I don't know any other API that would be required to use secret key in GET requests.

What do you think about it?

user26204
  • 3
  • 1
  • FYI, you can't just pass the `access_token`, you can always use `api_key` along with your public key instead of `api_secret` and your secret key. – Ryan V Jul 30 '14 at 20:52

1 Answers1

0

It's a server-side request, so from your server to Disqus.com. The client will never see the URL.

As you are using HTTPS, all that is visible in plaintext is that you made a request to a server at a specific IP address. However, an attacker monitoring your DNS requests or using a reverse DNS lookup can easily determine that the IP address belongs to the server at disqus.com.

So in short: It's safe. An attacker can see that you talk to disqus.com, but everything else is encrypted.

Also see this answer and this answer for more.

Community
  • 1
  • 1
jmiserez
  • 2,991
  • 1
  • 23
  • 34
  • Ok, thansk for your answer. Unfortunately disqus also allow to use http, not only https. And this is security issue, http should be prohibited. We also build a little bit special app, where user can see HTTP request in plain text, so we will remove query params for this API. – user26204 Jul 30 '14 at 20:13
  • @user26204 `Note: We recommend using SSL for all requests to the API, but it is not required for anonymous requests.` Which should mean that it's required for all non-anonymous requests. Have you actually tried using HTTP? And why would the user need see your **server-side** requests? I can think of no scenario where that would be necessary. – jmiserez Jul 30 '14 at 20:18
  • I can do HTTP requests with app_secret in URL. I think, API should not allowed this and the HTTP requests should be rejected. We build very special app for advanced users (developers etc), I cannot talk about it more right now. – user26204 Jul 30 '14 at 20:32