txels
commented
10 years ago Good point. Well, this should be secure enough under HTTPS (same premise as HTTP basic authentication).
Do you have any specific idea in mind for a more secure approach?
Open alexcouper opened 10 years ago
txels
commented
10 years ago Good point. Well, this should be secure enough under HTTPS (same premise as HTTP basic authentication).
Do you have any specific idea in mind for a more secure approach?
alexcouper
commented
10 years ago Possibly S3-style signing of requests?
But you're right about https - that should take care of it.
For now this is fine, but we should remember that this is subject to a man in the middle attack because the headers can be reused to make subsequent requests "as" the original client.