Are Python.requests safe?

Question

I'm about to use Python.requests to get data from my own online api to my local pc. My api requires authentication which for now is done trough simply posting user/pass:

params = {'user': 'username', 'pass':'password'}

requests.post(url, params=params)

Are this requests safe or is it going to allow a middle-man to capture that user/pass?

P.S My api is using a letsencrypt ssl certificate. Python version 3.7.0

I'm no expert but it looks like you might want to use requests[security] see https://stackoverflow.com/questions/31811949/pip-install-requestssecurity-vs-pip-install-requests-difference — Xantium, Jul 22 '19 at 10:48
It surely follows HTTPS schema, if you are using https, then it is safe in this case. — Sraw, Jul 22 '19 at 10:53
@Sraw so i don;t have to add anything else to the `requests`, it'll automatically go for the safe path? — Emanuel Ones, Jul 22 '19 at 10:54
@Simon Thanks, even tho it's a bit contradicting with the git ticket. — Emanuel Ones, Jul 22 '19 at 10:55
@Sraw so to make it clear: there is no way as it is written right now for a middle-man to collect that user/pass? — Emanuel Ones, Jul 22 '19 at 10:57
As I said I'm not an expert on the subject, I am probably wrong. Just trying to help (and hopefully not add confision to the subject). If the publishers say you should use a particular library, you probably want to go for that. idk — Xantium, Jul 22 '19 at 11:00
@Simon i agree. It's my bad that i forgot to mention the version - i'll edit it right away — Emanuel Ones, Jul 22 '19 at 11:02
@Sraw maybe add that as an answer if others stumble upon this — Emanuel Ones, Jul 22 '19 at 11:04

score 5 · Answer 1 · answered Jul 22 '19 at 11:24

5

this has nothing to do with the python-requests package, but with the HTTP (and HTTPS) protocols. HTTP is plain-text so anyone that manages to sniff your packets can read the content (hence the username/password pair in clear text). HTTPS uses strong encryption, so even someone sniffing your traffic will have a hard-time deciphering it - no encryption scheme is 100% safe of course but decrypting SSL traffic is currently way too costly even for the NSA.

IOW, what will make your requests "safe" is the use of the HTTPS protocol, not which python (or not python) package you use to write your client code.

answered Jul 22 '19 at 11:24

bruno desthuilliers

75,974
6
88
118

So basically because i'm using https for my api i'm pretty safe even tho the requests go out from my pc? – Emanuel Ones Jul 22 '19 at 11:32
What do you think happens when you submit your credit card number to a web payment interface ? It _is_ a "request" that "go out from your pc". – bruno desthuilliers Jul 22 '19 at 12:47

score 3 · Answer 2 · answered Jul 22 '19 at 11:42

3

Use the HTTPS protocol and it's safe provided you have a valid SSL certificate on your api. If you still feel paranoid/insecure, you can implement end-to-end encryption using an existing algorithm or create your custom algorithm either.

answered Jul 22 '19 at 11:42

Ozichukwu

396
3
12

Are Python.requests safe?

2 Answers2

Linked

Related