Jump to content
Please Use CODE Tags

does HTTPS encrypt post requests?

Mornincupofhate
By Mornincupofhate
in Programming
 Share
Posted
  • Author
Just now, Electronics Wizardy said:

the full url is encrypted, so they can't see it, but putting the password in the url is a bad idea.

That's the only way my API is going to work. Unless you've got a better idea of keeping other people out. Keep in mind this has to be fully done through a cURL request

Link to post
Share on other sites
Posted
38 minutes ago, Mornincupofhate said:

That's the only way my API is going to work. Unless you've got a better idea of keeping other people out. Keep in mind this has to be fully done through a cURL request

thats a horrible idea, probably wanna rethink this whole thing.

Link to post
Share on other sites
Posted
2 hours ago, Levisallanon said:

This is GET not POST ;).

You put an api key in the header of your request or you an put a jwt token in the header and decrypt it on the server.

 

The only time you should send a password is logging in to get the other.

 

1. User sends post with username and password to server

 

2. You use a secret on the server to encrypt them in a token and sent it back

 

3. Every request you send that header, as only the server knows the secret if it fails to decrypt it then it's invalid or it's not there send back 403

 

 

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
Posted

MDN suggested this site...and they just so happen to have an article about using REST to log in: http://restcookbook.com/Basics/loggingin/

 

Sending the password over a get, put, or post risks having the password intercepted unless you are using a secure https. They also suggest other options like using OAuth.

Web Developer and Java contractor

Link to post
Share on other sites
Posted

Including the password in the URL of the request is GET rather than POST (you can use the POST verb if you want, but you aren't making use of any of the extra functionality compared to GET, and the semantics of it depend what else you do with the request).

The URL, request body, and everything else, are encrypted in GET and POST requests made over HTTPS, so they wouldn't be vulnerable to man in the middle attacks. However, on your own server you are probably logging the request URL, which will store the password if you're including it in the URL. I would encourage you to include it in the request body - it's definitely the best practice. To do that using cURL, you would run 

curl --data "password=stuff" https://website.com/index.php

 

HTTP/2 203

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×