Is this secure?

  • Resolved quantafire

    (@quantafire)


    4 years, 3 months ago

    I was taught that putting important information in parameters was not a good idea? I notice in this plugin we have authentication URLS looking like this:

    https://mysite.local/?rest_route=/simple-jwt-login/v1/users&email=NEW_USER_EMAIL&password=NEW_USER_PASSWORD&AUTH_KEY=AUTH_KEY_VALUE

    My understanding is that this would then mean that a user’s password could be displayed in system logs. Why has it been done this way? Is it not more secure to pass inside the POST body?

    I’d love to use this plugin but having passwords in parameters, I was warned against.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nicu_m

    (@nicu_m)

    Hello @quantafire,

    You’re perfectly right and I agree with you.

    The sample generated URL from the plugin is just an example that shows the endpoint and the available parameters.

    I also suggest that the parameters should be not added to the URL. You can add the parameters in the post body, and you will have the same result.

    Also, my guess is that, when you try to create users, you will generate a form ( or an ajax call ), that calls the URL and add the parameters in the body of the request( not in the URL).

    To answer your question, I say “yes”, the plugin is secure. Also, I’ve added an info box in the create users section, where I suggest that the admins should use “Auth Code” when they create users. This Auth Code acts like an “API KEY” and can be set to expire after a certain period of time.

    Also, the safest way to create users is to make a server-to-server call. You generate a form, with “captcha” on it, and, on form submit, you make the call to the plugin endpoint with the “Auth Code”. This auth code for creating users, should also not be visible to the end client.

    Best regards,
    Nicu.

    Hello… in fact this is half correct :

    1. HTTP : Insecure
    All what you send with plain HTTP is just readable as is… So anything in URL (or in body) can be tracked fairly easily. Body just a little more complicated…

    2. HTTPS : Secure
    Encryption is exactly what the ‘S’ guaranties when passing anything in URL as well as in body or so.

    CONCLUSION :
    To be secure, I would strongly suggest you get a SSL certificate (easily got for free), and go with HTTPS.
    Here a little link about it.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Is this secure?’ is closed to new replies.