0

I've seen some conflicting information about this. Is there any benefit these days with most web apps being served over https, putting an api key in the header vs as a parameter in a URL???

I had someone freak out about it and my understanding is that it makes no difference over https.

cnak2
  • 1,711
  • 3
  • 28
  • 53
  • You are correct given just the request itself. However, it's probably easier to keep out of logs if it's in a header. URLs are often logged in lots of places. – mrmcgreg Jul 30 '22 at 20:20
  • Does this answer your question? [Place API key in Headers or URL](https://stackoverflow.com/questions/5517281/place-api-key-in-headers-or-url) – mrmcgreg Jul 30 '22 at 20:23
  • That question doesn't address the part in the question about HTTPS, although I doubt if the answer will change because of it. Note that TLS is applied *before* HTTP in HTTPS, so both the URL and the headers will be protected. – Maarten Bodewes Jul 30 '22 at 20:42

0 Answers0