0

Are there security or other considerations when choosing if a Username and Password should be specified to a REST request as a Query string "?user=key&password=secret" or as the typical Base64 encoded Basic Auth string?

I can do either and I'm not sure in what cases one approach is better than the other? In this scenario HTTPS will always be used.

FWIW, this is only going to be used for authentication and not authorization.

Improve this question

1 Answer 1

Reset to default
1

Since you are using Https then the security level is the same.

The query string and the headers will be hidden to anyone in the middle of the transmission. I think the only visible thing will be the uri (ie. www.google.com/about/)

Only the client (browser) and the server will see the headers and query string.

But, you are pretty much relying on HTTPS as your sole level of security.

Also, another point I would like to suggest is that if your making a public REST Api then I would not rely on cookies. If you plan on setting an Authentication Cookie from the Query String request. Because really, only browsers use cookies. If its a REST Api then.. you might have smart clients connecting and cookies would not be ideal.

I think the Basic Auth would be the better choice for a REST Api.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks Evan, when you mention cookies is there anything about my two choices that would require cookies? Or are you saying as a third option if I used cookies for auth? Thanks again.
Forget I mentioned cookies. Just don't use cookies at all with REST. What I was trying to say is that the security for both is going to be equal but I would prefer Basic Auth.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.