问题
I have seen some videotutorials for example Laravel. There is talk of an API token that is in the database by a user and is used for each request in the url.
For example: www.domain.nl/api/user/1/edit?token=)#(UJRFe0wur0fMjewFJ
- Is this a safe way even when you want to update, delete or add?
- Can anyone intercept token?
- Whats the best way?
I hope someone can help me, thanks!
回答1:
Is this a safe way even when you want to update, delete or add?
No, generally it is not. The token in URL can be read during the request all along the way. It would be kind-of safe if the token were unique and for one-time-use only.
Can anyone intercept token?
Yes, almost everyone along the route of the request, unless you use a secured HTTPS connection. Yet even then can the token be discovered, eg in access logs etc.
Furthermore, using the token i URL for GET requests means that the URL with the token will stay in your browser history which is an another potential security risk.
Whats the best way?
The best way would be to send the token data in a header or in a POST request field.
Useful links
See the SO QA "Is an HTTPS query string secure?"
回答2:
Doing authorization only by token in GET doesn't seem to be a good idea to me.
I would recommend using Laravel's Authentication middleware. https://laravel.com/docs/5.2/authentication
In Laravel there is a csrf token, which is not used to authenticate 'user' within a site though. Maybe they're talking about this one.
回答3:
1. Is this a safe way even when you want to update, delete or add?
Token is as sensitive as other credentials information like password. It can be used to access restricted privilege. Preferably, don't pass is by query string in URL.
2. Can anyone intercept token?
If you are using HTTPS, it will be secured. But your logs, browser caches will store the entire url including the token which is not nice.
3. Whats the best way?
Put it in Authorization fields in header.
authorization : Bearer <YOUR TOKEN>
It will be encrypted when you are using HTTPS as well. It does not get cached and recorded in logs.
Laravel already supported this kind of request. It will know to access this automatically by using this Request method
public function bearerToken()
{
$header = $this->header('Authorization', '');
if (Str::startsWith($header, 'Bearer ')) {
return Str::substr($header, 7);
}
}
来源:https://stackoverflow.com/questions/38322835/is-using-a-api-token-in-url-or-post-curl-safe