将登录凭据作为纯文本传递到HTTPS URL是否安全? [英] Is it secure to pass login credentials as plain text in an HTTPS URL?
问题描述
将登录凭据作为纯文本传递到HTTPS网址是否安全?
Is it secure to pass login credentials as plain text in an HTTPS URL?
https://domain.com/ClientLogin?Email =jondoe@gmail.com& Passwd = 123password
更新:因此,假设未输入此内容浏览器,但是以编程方式生成并通过POST请求(而不是GET请求)进行请求。它是安全的吗?
Update: So let's say this is not being entered in the browser, but being generated programmatically and being requested with a POST request (not a GET request). Is it secure?
在<$中使用这种类型的URL是不安全的c $ c> GET 请求(即在浏览器中输入URL),因为请求的URL将保存在浏览器历史记录和服务器日志中。
It is not secure to use this type of URL in a GET
request (i.e. typing the URL into the browser) as the requested URL will be saved in browser history and server logs.
但是,将 POST
请求提交到 https://是安全的domain.com/ClientLogin
(即提交表单),同时将凭据作为 POST正文
的一部分传递,因为 POST主体
在加密并在连接到请求的URL后发送。因此,表单操作将是 https://domain.com/ClientLogin
,表单字段值将在 POST正文中传递
。
However, it is secure to submit as a POST
request to https://domain.com/ClientLogin
(i.e. submitting a form) while passing the credentials as part of the POST body
, since the POST body
is encrypted and sent after making a connection to the requested URL. So, the form action would be https://domain.com/ClientLogin
and the form field values will be passed in the POST body
.
以下是一些帮助我更好地理解这一点的链接:
Here are some links that helped me understand this better:
回答StackOverflow问题:https网址是否已加密?
Google Answers:HTTPS - URL字符串本身是安全的?
推荐答案
不。他们将不会在途中看到,但它们将保留在:
No. They won't be seen in transit, but they will remain in:
- 浏览器历史记录
- 服务器日志
如果可能的话,请使用POST验证时使用HTTPS,然后设置已验证的cookie,或使用HTTPS上的HTTP摘要授权,甚至通过HTTPS使用HTTP Basic验证 - 但无论您做什么,都不要将秘密/敏感数据放入URL中。
If it's at all possible, use POST over HTTPS on authentication, and then set a "authenticated" cookie, or use HTTP Digest Authorization over HTTPS, or even HTTP Basic auth over HTTPS - but whatever you do, don't put secret/sensitive data in the URL.
编辑:当我写使用POST时,我的意思是在POST字段中通过HTTPS发送敏感数据。发送 POST http://example.com/ClientLogin?password=hunter2
与使用GET发送它一样错误。
when I wrote "use POST", I meant "send sensitive data over HTTPS in POST fields". Sending a POST http://example.com/ClientLogin?password=hunter2
is every bit as wrong as sending it with GET.
TL; DR:不要在网址中输入密码。永远。
这篇关于将登录凭据作为纯文本传递到HTTPS URL是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!