Closed mattv-ais closed 3 months ago
Hi mattv-ais,
There is an alternative to this and that is to make every call a POST. POST requests do not expose the parameters in the URL string and instead parameters are part of the form data which cannot be seen.
Regards, Scott
Was doing an audit of the different API integrations and noticed that the encrypted token is visible in the header. Anyone that can access the url can paste this into a webbrowser and retrieve student data for as long as that token is valid.
Is there an alternative to this?