I have security issue when I use Loopback API. The issue is that Access Token is accessible via query URL / Header. Can I hide the Access Token when I call Loopback API or Is There any setting that I can put Access Token in Body with POST function?
Thank You.
You should always be using HTTPS if you are doing authorization in your API.
Just hiding the data from the URL won't help you prevent attacks since the info will still be sent in plaintext inside the headers/cookies.
If you enable HTTPS and redirect HTTP queries to HTTPS then only the server and the client can see the value, which is the expected behavior.
This will also prevent the login data to be sent in plaintext as well, which is always a bad idea.
You can check this document on deployment or try this example project for enabling SSL.