I know it is very basic question but I need a solid answer to clear my thoughts on it.
I am sending user credentials, key etc in header part in POST method, Is it a good way? if not then why?
Asked
Active
Viewed 72 times
1
-
Doing this over plain HTTP is a terrible idea. With HTTPS it's much better. However, your application might be fooled to leak the credentials and then you're toasted. I guess, combining headers with [HttpOnly cookies](https://stackoverflow.com/a/23035655/581205) is best. – maaartinus Jun 15 '17 at 00:29
1 Answers
2
It's a bad way of doing things like these since if somebody could intercept your request - they would get your credentials easily. Better to avoid or at least encrypt this kind of requests.
One of the most popular solutions nowadays is to use OAuth 2.0 (or even better - OpenID Connect). They will bring some complexity to your system but the cool thing about it is that your application doesn't have to deal with passwords at all. Everything is delegated to Authority Server. And there are a lot of the authorization servers ready to use, for instance Keycloak (we have been using it and it and it was really good experience for us)
Danylo Zatorsky
- 5,856
- 2
- 25
- 49