Hi all, Thanks a lot for your replies. Since the spec says to implement using query string, i will implement according to the spec specified by Johann and i will mention the security considerations in the documentation.
Regards On Sat, Nov 22, 2014 at 12:50 PM, Harsha Kumara <[email protected]> wrote: > Hi, > > As Johann mentioned, if the specification defined sending token as the > query param, we needs to support it and implement as specification > specified. But again the user who going to use it needs to know aware of > the security issues cause by using token as query param. Also the > specification specified that it's discourage to use this approach. IMO If > we support it, we shouldn't use in our products unless if there is any > specific reason. > > Thanks, > Harsha > > On Sat, Nov 22, 2014 at 10:15 AM, Udara Liyanage <[email protected]> wrote: > >> Hi, >> >> Given you use HTTP, If the request is intercepted, keys are exposed even >> you send as URL or as headers. >> If you use https, headers and URL are both encrypted I guess. However >> sending in URL has some drawbacks, >> >> 1) browsers caches the URL >> 2) will be printed in logs ad Johans mentioned >> >> So better and common practice is sending as headers. >> >> >> >> Touched, not typed. Erroneous words are a feature, not a typo. >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Harsha Kumara > Software Engineer, WSO2 Inc. > Mobile: +94775505618 > Blog:harshcreationz.blogspot.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Sam Sivayogam* Software Engineer Mobile : +94 772 906 439 Office : +94 112 145 345 *WSO2, Inc. :** wso2.com <http://wso2.com/>* lean.enterprise.middleware.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
