What is a secure way to send credentials to the server?



  • I am currently making a file server (Based on HTTP) for my service. I want an upload key, so a key that is needed for uploading. To get this key, the client has to provide his login data.

    Let's say my site has the following link where you can get the key:

    www.example.com/content/upload/genkey

    Currently, the client must specify his credentials in the query of the get request. So in my example: www.example.com/content/upload/genkey?name=example&password=12345

    As you may already see, this is not really secure. It is recorded in the server's log data and can be easily seen by others.

    Now my question is:

    How could the client now send the authentication data to the server in a secure way?



    1. Check what log is it. If this is a log before the TLS termination point, then the server does not see the URL and paramaters, because they are encrypted. If the log is behind the TLS termination point, then the server can of course see the whole request.

    2. Use HTTP POST instead of HTTP GET. Put user name and password to the request, don't use them as request parameters. The bodies are usually not written to the log. Check the settings of your web server.

    3. Use Basic Authentication instead of sending user name and password as a request. Then the browser will send user name and password as a separate data package upon server request. Such data are normally not written to the log. Again, check the settings.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2