Consider providing API Key as header rather than query parameter

janlukasschroeder / sec-api-python

Python SEC EDGAR Filings API. Over 18 million filings, all 150 filing types supported. Query, full-text search and real-time stream API. Convert XBRL-to-JSON and access standardized financial statements from 10-K and 10-Q filings.

https://sec-api.io

MIT License

181 stars 24 forks source link

Consider providing API Key as header rather than query parameter #13

Closed SamStephens closed 3 weeks ago

SamStephens commented 3 weeks ago

As per https://sec-api.io/docs/query-api#authentication, the API Key can be provided as either a header or a query parameter. The API currently uses a query parameter.

Please consider switching to a header. URLs can end up going through proxies, scanning engines, and all sorts of entities that should not see a secret like an API Key. Headers are much less likely to be accidentally exposed.

janlukasschroeder commented 3 weeks ago

Absolutely agree from a security point of view. However, some use cases require the token parameter. For example, various clients are running scripts behind an internal company firewall blocking requests with Authorization headers and the only option to authenticate requests is via the token query parameter.

SamStephens commented 3 weeks ago

@janlukasschroeder thanks. Would you consider making this configurable (use header by default, and token parameter if configured for users who need it)? It's a dealbreaker for using this library for me.

For example, various clients are running scripts behind an internal company firewall blocking requests with Authorization headers

That's pretty unfortunate 🙄