Hacker News new | comments | show | ask | jobs | submit login

Even if you use HTTPS, aren't you vulnerable to lazy devs who put the password in the URL?

If I use https://username:password@example.com/, doesn't that URL show up in server logs all over the internet?

Don't ever use passwords for API authentication. It's an API, not a browser. The users of an API are other programs, not people. Issue single-purpose random credentials.

I didn't think this was something I had to point out about API authentication, but apparently it is.

I have a stupid question: how do you do this with HTTP Basic auth?

Generate random long passwords.

By "don't ever use passwords" you mean, "don't let users set their own passwords," right?

Obviously, you're still using a password if you use HTTP Basic Auth.

You shouldn't ever use username/password pairs for API authentication. If the user ever changed their password, then their API calls would immediately fail!

This is one of many benefits of using multiple (revokable) API Keys.

No. The UA strips those and puts them in an Auth header.

Depends on the UA (curl?)

OK, so it'll either add an auth header or not know what to do and refuse to do anything. Either way the password is not sent in the request url

Actually, I mused have screwed up last night. The version of curl I have does support it and does put it into the Auth header.

  % curl --trace-ascii /dev/stdout http://jimktrains:password@news.ycombinator.com
  == Info: About to connect() to news.ycombinator.com port 80 (#0)
  == Info:   Trying == Info: connected
  == Info: Server auth using Basic with user 'jimktrains'
  => Send header, 223 bytes (0xdf)
  0000: GET / HTTP/1.1
  0010: Authorization: Basic amlta3RyYWluczpwYXNzd29yZA==
Some UAs however, do just drop it. Like IE (http://support.microsoft.com/kb/834489)

Even curl does the right thing for basic auth

Please correct me if I'm wrong. HTTPS will encrypt the URL, but the DNS lookup is in clear. So the "username:password@example.com" part will be sniffable/loggable.


That's incorrect. The URI library will parse the URL into a hostname, username, and password. Only the hostname is sent to the DNS server.

The username and password are sent in the "Authorization" HTTP header, which will be encrypted.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact