在 HTTPS URL 中以纯文本形式传递登录凭据是否安全? [英] Is it secure to pass login credentials as plain text in an HTTPS URL?
问题描述
在 HTTPS URL 中以纯文本形式传递登录凭据是否安全?
Is it secure to pass login credentials as plain text in an HTTPS URL?
https://domain.com/ClientLogin?Email=jondoe@gmail.com&Passwd=123password
更新: 假设这不是在浏览器中输入,而是以编程方式生成并使用 POST 请求(不是 GET 请求)进行请求.安全吗?
Update: So let's say this is not being entered in the browser, but being generated programmatically and being requested with a POST request (not a GET request). Is it secure?
在 GET 请求(即在浏览器中输入 URL)中使用这种类型的 URL 是不安全的,因为请求的 URL 将保存在浏览器历史记录和服务器日志中.
It is not secure to use this type of URL in a GET request (i.e. typing the URL into the browser) as the requested URL will be saved in browser history and server logs.
但是,将凭据作为一部分传递给 https://domain.com/ClientLogin(即提交表单)作为 POST 请求提交是安全的POST body,因为 POST body 在连接到请求的 URL 后被加密和发送.因此,表单操作将是 https://domain.com/ClientLogin 并且表单字段值将在 POST body 中传递.
However, it is secure to submit as a POST request to https://domain.com/ClientLogin (i.e. submitting a form) while passing the credentials as part of the POST body, since the POST body is encrypted and sent after making a connection to the requested URL. So, the form action would be https://domain.com/ClientLogin and the form field values will be passed in the POST body.
以下链接帮助我更好地理解了这一点:
Here are some links that helped me understand this better:
对 StackOverflow 问题的回答:https URL 是否加密?
Google 答案:HTTPS - 网址字符串本身是否安全?
推荐答案
不.他们不会在运输途中被看到,但会留在:
No. They won't be seen in transit, but they will remain in:
- 浏览器历史记录
- 服务器日志
如果可能,请在身份验证上使用 HTTPS 上的 POST,然后设置经过身份验证"的 cookie,或通过 HTTPS 使用 HTTP 摘要授权,甚至通过 HTTPS 使用 HTTP 基本身份验证 - 但无论您做什么,都不要放URL 中的机密/敏感数据.
If it's at all possible, use POST over HTTPS on authentication, and then set a "authenticated" cookie, or use HTTP Digest Authorization over HTTPS, or even HTTP Basic auth over HTTPS - but whatever you do, don't put secret/sensitive data in the URL.
当我写使用 POST"时,我的意思是在 POST 字段中通过 HTTPS 发送敏感数据".发送 POST http://example.com/ClientLogin?password=hunter2 与使用 GET 发送一样错误.
when I wrote "use POST", I meant "send sensitive data over HTTPS in POST fields". Sending a POST http://example.com/ClientLogin?password=hunter2 is every bit as wrong as sending it with GET.
TL;DR:不要在 URL 中输入密码.曾经.
这篇关于在 HTTPS URL 中以纯文本形式传递登录凭据是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
