0

Is there any way to supply key/value parameters of my choice in the headers of a GET request?

Or should I use a POST request for that - even if my request is purely about retrieving information?

Background: I have a RESTful API that requires a key parameter. I want to use this API as the back-end for a JavaScript application on the same domain. However, I don't want users of the web app to be able to see and steal the key parameter, which they would if the key parameter was supplied as a GET parameter.

I think since my site is served over HTTPS, if I put the key parameter in the header, it will be invisible to the web app user, and that gets around my problem.

Richard
  • 62,943
  • 126
  • 334
  • 542
  • if you control the server, you probably could do something like that - did you try? though, having re-read the question, if you want to have some value totally invisible to the user, then, no, custom headers wont help - users can see those as well – Jaromanda X Nov 26 '15 at 11:07
  • Yes, needs to be totally invisible. Oh well, thanks anyway! If you want to submit an answer of "it's not possible", I will accept. – Richard Nov 26 '15 at 11:12
  • Oh, it's not impossible - just not using custom headers – Jaromanda X Nov 26 '15 at 11:13
  • Maybe this will help - http://stackoverflow.com/questions/319530/restful-authentication - I'm assuming this `key` is some form of authentication – Jaromanda X Nov 26 '15 at 11:24
  • 1
    "I think since my site is served over HTTPS, if I put the key parameter in the header, it will be invisible to the web app user " — You are wrong. HTTP protects data from being seen by *third parties*. If you are sending the request *from the browser* then the user can see **everything** that is in the request. It doesn't matter if it is in the URL, the headers or the body. Their browser is sending it and they control the browser so they can see it. The Network tab in the Developer Tools that come with all modern browsers will show all three of those places. – Quentin Nov 26 '15 at 11:30

1 Answers1

0

invisible is probably not possible..

you can do this in Three ways.

  1. Either you use Salt and hash for generating random key using sha256/512 and some random secret key in your app and pass through GET request.

  2. or can use POST request for same.(easiest method).

  3. Use JWT (JSON web tokens). (relatively more secured). Read docs here http://jwt.io/
Robus
  • 465
  • 6
  • 19