serpapi / public-roadmap

Public Roadmap for SerpApi, LLC (https://serpapi.com)
57 stars 6 forks source link

Allow sending API key in header #784

Open ChuckJonas opened 1 year ago

ChuckJonas commented 1 year ago

From what I can tell, the only way to currently pass and API is to send it in the URL. This is inherently insecure and causes the API key to show up in unintended places (system logs, network monitors, etc).

Please provide a way to send the API key in a header (ideally just using standard Bearer token authentication)

hartator commented 1 year ago

This is not documented, but you can submit a search using your signed-in cookie. E.g., try in your browser while signed-in to SerpApi: https://serpapi.com/search.json?q=search+without+api+key

This is a session-based authentication and you can use it in your backend code.

This is inherently insecure and causes the API key to show up in unintended places (system logs, network monitors, etc).

Note that other headers than HTTP verbs and URLs can still show up in your logs and network monitors. SSL already encrypts paths + GET parameters (ref: https://stackoverflow.com/questions/499591/are-https-urls-encrypted). So, an app like logs and network monitors that have access to those (i.e., the full URL) will already have access to the rest of the headers (including Bearer tokens). This won't make necessarily your application more secure.

Alaa-abdulridha commented 1 year ago

As @hartator mentioned you can use the cookies to sign in but it won't make your application safer however, you can setup reverse proxy on your backend e.g. nginx reverse proxy, and via the reverse proxy you'll have more options to deal with the API key or the cookies and this is useful in case you have a concern about your API key gets exposed if you're using it on your front-end.

ChuckJonas commented 1 year ago

@hartator I understand it's still possible to log it, but it's widely accepted that headers are the appropriate way to pass an API key:

https://www.rfc-editor.org/rfc/rfc7235 https://stackoverflow.com/questions/5517281/place-api-key-in-headers-or-url

Beyond that, some platforms (Salesforce in my case) just outright don't support sending secrets via the url...