Is it secure to send username and password in a Json object in the body of a post request? Is it secure to send username and password in a Json object in the body of a post request? json json

Is it secure to send username and password in a Json object in the body of a post request?


json security passwords

Lets divide it to many points:

1) you use a valid SSL certificate to secure the communication between the user and the server (It must be valid)

2) Sending the username and password in the body of the POST request is the best practice (Never use GET to send sensitive information such as Credentials)

3) Sending the api token in the HTTP request and response headers is the best practice (Again never use GET to send sensitive information such as session tokens)

So based on the points above, it seems that there is no risk in this implementation but you need to take the following points in your consideration:

1) The time out of the API token should be short in case of idle user. (5 ~ 15 mins are the averages based on the criticality of the application)

2) The length of the API token should be long string approx. 30 ~ 40 characters.

3) The API token generation must be randomized and hard to predict to protect from (session prediction attacks.)

Hope this help you.

json security passwords

What you are describing is basically HTTP basic authentication.

Is sending the username and password like this best practice/secure, or is it better to send it in the header?

In security point of view I cannot think of a big difference whether you send the credentials in the body or in the header. Basically whoever manages to read the clear text message, can see the credentials in both components. The common practice when using the basic authentication is to use the HTTP header though:

Authorization: Basic VGVzdFVzZXI6UGFzc3dvcmQxMjM0

where VGVzdFVzZXI6UGFzc3dvcmQxMjM0 is your base64-encoded credentials. The decoded string in this case is: TestUser:Password1234

It is important to realize that in your case the TLS is the only protection for the credentials in transit so you must identify all the nodes in the communication channel that could potentially expose the clear message. For example if you are using proxies that would terminate the TLS, those proxies are potential vectors for MITM attacks.

If you want to increase the security for the credentials in transit, one option could be to implement asymmetric end-to-end encryption so that you would encrypt the credentials with an authenticated public key on the client-side (e.g. certificate signed by a trusted CA) and then decrypt it at the destination with the private key known only for your server. In this case you would not need to worry too much what happens to the message in-transit.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last