Which is the right approach to send user credentials from the front end to the backend server? I see examples where some developers use the authorization headers and some pass the credentials in the POST body.
Asked
Active
Viewed 1.5k times
11
-
There is no right or wrong here - it highly depends on the standard you're going to implement. For example in OAuth2, the header is used. – maio290 Nov 28 '18 at 09:22
2 Answers
12
Credentials usually go to the request body once, when trying log in. You should receive a token in return, although whether you send this token via HTTP header, request body or as a GET param is up to you ( or the protocol you are implementing ).
It's generally a good practice to use the header, because GET requests shouldn't include request body and passing the token as a GET parameter may not always be an option ( e.g. due to the token appearing in various logs ).
Either way, I would advise you to avoid trying to implement your own protocol and use an existing standard instead.
-
2To be clear, passing secret information as a URL parameter in a GET request is unsafe, even with HTTPS/SSL. – lortimer Oct 29 '19 at 17:12
4
The only safe method for a website to transfer a password to the server is using HTTPS/SSL. If the connection itself is not encrypted, a ManInTheMiddle can modify or strip away any JavaScript sent to the client. So you cannot rely on client-side hashing.
Moreover always use headers for sending sensitive data like USER-ID, API-KEY, AUTH-TOKENS You can refer to this stack question also link for more information and this link
rajat singh
- 165
- 1
- 11