Hi, As Johann mentioned, if the specification defined sending token as the query param, we needs to support it and implement as specification specified. But again the user who going to use it needs to know aware of the security issues cause by using token as query param. Also the specification specified that it's discourage to use this approach. IMO If we support it, we shouldn't use in our products unless if there is any specific reason.
Thanks, Harsha On Sat, Nov 22, 2014 at 10:15 AM, Udara Liyanage <ud...@wso2.com> wrote: > Hi, > > Given you use HTTP, If the request is intercepted, keys are exposed even > you send as URL or as headers. > If you use https, headers and URL are both encrypted I guess. However > sending in URL has some drawbacks, > > 1) browsers caches the URL > 2) will be printed in logs ad Johans mentioned > > So better and common practice is sending as headers. > > > > Touched, not typed. Erroneous words are a feature, not a typo. > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Harsha Kumara Software Engineer, WSO2 Inc. Mobile: +94775505618 Blog:harshcreationz.blogspot.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
