Is it safe to send username and password in Json object in message body?

Question

Is it safe to send username and password in Json object in message body?

I am building a web application and my web server is secure, which means it uses an ssl certificate with an interface to encrypt the connection.

When the user logs in, a JSON object is created that looks like this and is sent to the server.

{
    username:"the user username",
    password:"the user password"
}

On the server, this is verified using a hash algorithm that uses salt. Once it is checked, an api token is created, which is valid for a certain time and is passed in the header back and forth to check the user when requests are made. Is sending a username and password this best practice / security or is it better to send it to the header?

+4

json security passwords

Dan Jul 27 '17 at 8:21

source share

2 answers

, , , , HTTP.

, , /, ?

, . , , . HTTP, :

Authorization: Basic VGVzdFVzZXI6UGFzc3dvcmQxMjM0

VGVzdFVzZXI6UGFzc3dvcmQxMjM0 - , base64. : TestUser:Password1234

, TLS , , . , -, TLS, - MITM.

, , (, ), , . , .

+1

quinz 27 . '17 11:26

kingasmk · Accepted Answer · 2017-07-27T10:56:56+0000

Allows you to divide it into many points:

1) you use a valid SSL certificate to protect communication between the user and the server (it must be valid)

2) Sending a username and password in the body of a POST request is best practice (never use GET to send sensitive information such as credentials)

3) Sending an api token in an HTTP request and response headers are best practice (Again, never use GET to send sensitive information such as session tokens)

Therefore, based on the points above, it seems that there is no risk in this implementation, but you need to consider the following points:

1) - API . (5 ~ 15 - , )

2) API . 30 ~ 40 .

3) API () .)

, .

Is it safe to send username and password in Json object in message body?

More articles: