lmucs / cher-ami

Exclusive Content Sharing
10 stars 2 forks source link

Authentication goes in the header, not in a URL parameter #5

Closed rtoal closed 10 years ago

rtoal commented 10 years ago

Auth tokens in query parameters are completely insecure. Hide them in a header. Make sure you find a good native-Go or reputable 3rd party library for token management or general-purpose authentication rather than trying to roll your own.

AuthorOfTheSurf commented 10 years ago

Sessionids are now expected in the header in routes that require authentication 745c2c5