19

Is there any security difference between placing sensitive data, such as an API key in a POST request header versus the POST request body assuming the API server is HTTPS-only?

While you frequently see API keys in the Authorization header or a custom X-API-KEY header, does placing the key in the header actually increase the level of security for the key or is this strictly an API design convention?

pxwise
  • 293
  • 1
  • 2
  • 6
  • I think you are using the *header* in the wrong meaning. GET and POST parameters are always transferred in the HTTP body. To clarify you can post an example. – sebix Aug 29 '15 at 10:07

2 Answers2

18

If the transport itself is secured (i.e. https) an attacker can not sniff the data. But it might be logged at the server side and the server might later be compromised or some security leak might cause the log files to be publicly visible. Such log files usually contain the URL and they might contain other lines from the headers like User-Agent, Referer and other headers if specified with a custom log format. Thus it might be a bad idea put these API keys into the request header, unless you make sure that they don't get logged.

An argument against putting the key in the request body is that it now would be possible to create a simple HTTP form which includes the key which is easier to be used as a CSRF request. When including the API key as header instead the attacker must be able to do a XHR request and is subject to the restrictions of CORS.

Another reason for not including the key into the URL is that it might get included into the Referer header of a following request. Also the URL's are usually contained in the browsers history so that you have another place which could be compromised. This is relevant only for normal browser requests, i.e. XHR or REST requests done by applications are not affected.

Some explanation about the meaning of "header": sometimes one uses the name 'header' to distinguish the initial part of the HTTP message and the body. In this case the URL is part of the header (request line). Other times one talks about the headers (plural) and means the "field:value" pairs only, i.e. not including the request line with the URL. It is not fully clear for me which meaning is used in the question so I better covered both.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 6
    This question doesn't seem to be asking about including API keys in the URL, but a HTTP request header versus in the request body (like how a POST form gets sent with `parameter=value` after the blank line between HTTP headers. Also if you are worried about random HTTP headers getting logged; note session cookies are sent in HTTP headers. – dr jimbob Aug 26 '15 at 17:53
  • @drjimbob: I've added an explanation about the possible meanings of the word "header" to the answer. – Steffen Ullrich Aug 26 '15 at 18:14
7

I do not think there is a significant security advantage for using it in an HTTP header (not counting the URL which is sent in the request line that starts the HTTP request, where you have to be more cognizant of it being logged in your browser history or server logs) vs being in a POST request body.

The advantage of sending keys in an "Authorization header or a custom X-API-KEY header" would be separation and consistency among multiple methods in your API. That is you can deal with authentication with the same server code for GET, POST, PUT, etc. methods by checking the header field that the API uses. Furthermore, if the user needs to submit other POST/PUT data in the request body as part of their API request, it is kept separated from the authentication data.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • 1
    Same idea I share with you: that could not be a difference (header/body) in case of HTTPS –  Aug 26 '15 at 18:15