在网址中使用Api令牌或发布/卷曲安全 [英] Is using a Api token in url or post/curl safe

问题描述

我看过一些视频教程，例如Laravel. 谈到了用户在数据库中使用的API令牌，该令牌用于URL中的每个请求.

I have seen some videotutorials for example Laravel. There is talk of an API token that is in the database by a user and is used for each request in the url.

例如: www.domain.nl/api/user/1/edit?token =)#(UJRFe0wur0fMjewFJ

For example: www.domain.nl/api/user/1/edit?token=)#(UJRFe0wur0fMjewFJ

1. 即使您要更新，删除或添加，这也是一种安全的方法吗?
2. 任何人都可以拦截令牌吗?
3. 什么是最好的方法?

我希望有人能帮助我，谢谢！

I hope someone can help me, thanks!

推荐答案

即使您要更新，删除或添加，这也是一种安全的方法吗?

不，通常不是.可以在请求过程中一直读取URL中的令牌.如果令牌是唯一的并且只能一次性使用，那将是安全的.

Is this a safe way even when you want to update, delete or add?

No, generally it is not. The token in URL can be read during the request all along the way. It would be kind-of safe if the token were unique and for one-time-use only.

是的，除非您使用安全的HTTPS连接，否则请求路线中的几乎每个人都是如此.即便如此，仍可以在访问日志等中发现令牌.

Yes, almost everyone along the route of the request, unless you use a secured HTTPS connection. Yet even then can the token be discovered, eg in access logs etc.

此外，对GET请求使用令牌i URL意味着带有令牌的URL将保留在您的浏览器历史记录中，这是另一种潜在的安全风险.

Furthermore, using the token i URL for GET requests means that the URL with the token will stay in your browser history which is an another potential security risk.

最好的方法是在标头或POST请求字段中发送令牌数据.

The best way would be to send the token data in a header or in a POST request field.

请参阅SO QA" HTTPS查询字符串是否安全?"

See the SO QA "Is an HTTPS query string secure?"

这篇关于在网址中使用Api令牌或发布/卷曲安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！