On Jun 10, 2014, at 1:58 AM, CouchbaseLover <[email protected]> wrote:
> "You can also embed the username/password directly in the replication URL if > you want, like > http://username:[email protected]:4984/db/"; > Is this really secure though? The URL in that form never leaves your device. Remember, HTTP doesn't directly send URLs. What shows up in the request is like GET /db HTTP/1.1 Host: host.com:4984 WWW-Authenticate: ....base64.... It's true that HTTP basic auth itself is insecure, because it's trivial to read the username and password from the value of the WWW-Authenticate: request header. That's why you shouldn't use basic auth except over SSL. But this has nothing to do with whether you embed the username/password in the URL. --Jens -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/5E97E832-1F54-4789-9D87-991041184558%40couchbase.com. For more options, visit https://groups.google.com/d/optout.
