13

According to Instagram's Documents, we send an access-token through a GET request over HTTPS. Isn't this considered insecure? Because I've read that you shouldn't even send passwords over a GET request.

For /media/media-id (the first example):

https://api.instagram.com/v1/media/{media-id}?access_token=ACCESS-TOKEN
Anders
  • 64,406
  • 24
  • 178
  • 215
testinggnitset ser
  • 155
  • 1
  • 1
  • 5

1 Answers1

20

As explained here, sensitive data in the URL query part (such as a secret API token) is primarily an issue if the URL is accessed directly in the browser and therefore visible in the URL bar as well as stored in the browser history.

But API requests are usually performed in the background of an app or via a background AJAX request and therefore you're much less likely to run into a situation where the plain API request URL is presented to a user. Therefore the dangers of sensitive data in the URL are negligible for an API.

Also note that over HTTPS the full HTTP request is encrypted, including the query part. Only the hostname (api.instagram.com) would be exposed to a MITM as a side effect of SNI.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 3
    Great answer! I would add that if you have a proxy that does TLS-interception, you will risk having your access token recorded in logs on it. But since you need to explicitly trust a such a proxy for it to be able to read your traffic, I would say it is a minor issue. – Anders May 02 '17 at 07:29
  • What if I HAVE TO send the api token in url? is it a big issue? – Ramesh Pareek Feb 14 '18 at 12:33
  • @RameshPareek If the API token is visible in the user's URL bar and not just a one-shot token, then you might want to avoid it for the reasons I gave in this answer. If the token is just part of a background request, you're most likely fine. – Arminius Feb 14 '18 at 13:21
  • 1
    Just to add to @Anders comment on logging of the URL (and therefore token), an environment that needs to comply with PCI or HIPAA rules may not consider this logging a minor issue. It definitely depends on the specific scenario, but I think if the token allowed one to access PHI (for example), the logging of it would be a problem. – Jason Capriotti Apr 23 '19 at 16:29