Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 3 down vote favorite
1

I have a Asp.net Web API project.

The project validates all the requests by receiving a parameter named sessionToken

http://myapi.com/api/applications/getApplications?sessionToken=xxx

However, i heard that is not safe to send the sensitive parameters via public urls, and i've seen an example where i can add the sessionToken parameter inside the header of the HttpClient request:

using (HttpClient client = new HttpClient())
{
    client.BaseAddress = new Uri("http://myapi.com/");
    client.DefaultRequestHeaders.Add("sessionToken", "xxx");

    HttpResponseMessage response = await client.GetAsync("api/applications/getApplications");
    string stringResponse = await response.Content.ReadAsStringAsync();
}

I am happy that now i can read the parameter without having to put it in the url.

Is it safe to send sensitive data via http request headers? (of course that they will be encrypted at least)

share|improve this question

2 Answers

up vote 1 down vote

Unless the connection is encrypted, I believe sending any sensitive information in url or header is not a good idea. If you want to still send it over unsecured http, use some short of public/private key encryption which can encrypted the data. I have build an application where the url contain some encrypted data which is valid for a short span (for example 2 mins).

share|improve this answer
up vote 1 down vote

You are right that putting security sensitive information on Url is not a good idea. It can lead to information disclosure.

Putting it to header is recommended. Here are some further suggestions:

  • Use Authorize header instead of custom header. Authorize header is designed for authentication purpose. You can define your own scheme or you can use existing scheme like bearer defined in OAuth 2.0 instead of reinventing all wheels.

  • Client should always use TLS to protect from MITM attack

  • Client should always check certificate chain when making request to avoid DNS hijacking attack

  • Set expiration on token to be short lived to avoid replay attack

  • Make sure your client code won't store token to unsafe places, which can be access by others

share|improve this answer
Thank you..i will research on each of them to see how can i defend properly...Dangers everywhere! – RaraituL Apr 30 at 6:18

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.