On Mon, Jul 27, 2015 at 11:28 AM, Matthew Wild <[email protected]> wrote: > I'll just quickly note that I don't see any security advantage to a > token in a header (if we're always over HTTPS, which I assume we are > if we care about this). The attacker guessing an unpredictable URL is > no different to an attacker guessing an unpredictable auth token.
In my case this would be about delegating to external services that require auth; if it's a local file upload service which we control, then yes, a random URL is enough. —Sam -- Sam Whited pub 4096R/54083AE104EA7AD3 https://blog.samwhited.com
