+2

In API, allow the apikey (and potentially other data) to be passed via JSON in a POST request.

Steve Shipway 7 years ago updated 6 years ago 1

When calling the API, the apikey is passed in the Querystring as an argument.  This is suboptimal as this may result in it being written into log files, leaking information.


Better, and more secure, would be for the apikey to be passed via JSON in a POST body, possibly also along with the various other parameters currently found in the path_info string.

This is even worse when using the API to create a new item, since in this case, the item name and password are part of the URL and likely to get logged by web servers, proxies, and the like!