Secured way to communicate between servers

Question

We are passing secret keys to authenticate the GET requests between https enabled websites. Which of the following ways are more secured:

GET /auth?secret=8727n2i752gns982jsn'

Only 2 servers know that secret keys.

Or should we set headers as follows:

request({
    url: '/auth',
    headers: {
        'secretKey': 's87ehwdiw8y3dhj'
    }
});

Which method is more secured and why?

Definitely do not append the secret in the URL, even if it's HTTPS. I believe headers are encrypted. — Vic, Jun 26 '18 at 13:04

score 2 · Accepted Answer · answered Jun 26 '18 at 12:29

2

Ideally sending secret key isn't a good option. But if there is utmost need I would suggest you to send the key in the headers like:

request({
    url: '/auth',
    headers: {
        'secretKey': 's87ehwdiw8y3dhj'
    }
});

If you give a "secret key" to a browser, it's not secret anymore. Javascript in the browser is just too open to really keep a key secret.

As it is less visible, yet anyone can sniff it as it's just javascript.

Here are few links to enlighten you more:

answered Jun 26 '18 at 12:29

Harshal Yeole

Is the data in headers encrypted? If yes, why isn't sending secret in headers is not a good option? – Sowmay Jain Jun 26 '18 at 12:42
It's encrypted in https only and in transit and not on the ends. That's why. – Harshal Yeole Jun 26 '18 at 14:56
However, as per our case, we are sending data server to server so both servers know the secret keys. So that might not be the issue here. Thanks for your answer. – Sowmay Jain Jun 26 '18 at 14:59
Ideally, what methods we should use instead of sending secret keys directly? – Sowmay Jain Jun 26 '18 at 15:00
I would suggest keeping SECRET in .env file and set it on each environment manually.. To keep the secrecy of the secret keys. :) – Harshal Yeole Jun 26 '18 at 15:18

Mikell-S · Answer 2 · 2018-06-26T12:34:12.107

1

request({
    url: '/auth',
    headers: {
        'Authorization': 'Bearer s87ehwdiw8y3dhj'
    }
});

This is a standardized way of passing tokens through header. The security part is really more about your token creation.

'Bearer' is the type of Authorization you are using. It could be 'Basic', etc ie

'Authorization': 'Basic s87ehwdiw8y3dhj'

edited Jun 26 '18 at 12:34

answered Jun 26 '18 at 12:28

Mikell-S

Is the data in headers encrypted? – Sowmay Jain Jun 26 '18 at 12:41
@SowmayJain yes they are in `https` but not in `http`. – vibhor1997a Jun 26 '18 at 12:51
Your token should have the encryption. And there are varying encryption types you can use, but from your first comment, it appears that the servers passing the value already know how to read the encrypted tokens. Am I misunderstanding your comment? – Mikell-S Jun 26 '18 at 12:51
Here is an answer to the https header encryption question https://stackoverflow.com/a/31565082/5770064 – Mikell-S Jun 26 '18 at 12:55
Yeah, its obvious that they are encrypted only in the transit not at the ends. – vibhor1997a Jun 26 '18 at 12:58
This way is ideal for passing Auth tokens and not secret keys. – Harshal Yeole Jun 26 '18 at 14:56

2 Answers2