Are there security issues passing login credentials to REST API as data parameters in POST call?

Question

I have a django web app with a RESTful API written using TastyPie. I want to allow my mobile app access to the API that uses username and api_keys, but have struggled to know what the best way to get the api_key back to the mobile client.

I am following the resource code provided here: How can I login to django using tastypie

My question is if this is a secure method of passing a username and password as data parameters in a POST request. Should I be okay?

Here is an example of the post request:

POST to http://myapp.com/api/user/login with data { 'username' : 'me', 'password' : 'l33t' }.

Answer 1

While data sent over a POST request can be sniffed, that doesn't necessarily mean that you shouldn't be using it to submit user credentials to your RESTful API. So, to answer your question directly:

• POSTing a username and password for authentication is not secure. It can be sniffed.
• That being said, submitting user credentials in this fashion is something that in my experience is done quite often. A good practice is returning a remember token (or in your case API key) to the user once they have been authenticated. Aside from persisting sessions, the advantage is that if some malicious user gets hold of an API key, it can be reset easily without needing to reset the user's username/password (although it might be a good idea to do so anyway). Of course the downside is that remember tokens/API keys are generally stored in unsafe places like browser cookies/mistakenly in the source of some github repo.

So, is POSTing authentication credentials sniff-proof, no. Can you do it/is it done, yes. Of course, you can see if HTTPS is an appropriate solution for you in this context if you require more security.

Answer 2

No, sending cleartext credentials is never secure. Anyone sniffing the traffic (including sniffing the traffic and dumping it all into a big logfile) will have the credentials.