We are passing secret keys to authenticate the GET requests between https enabled websites. Which of the following ways are more secured:
GET /auth?secret=8727n2i752gns982jsn'
Only 2 servers know that secret keys.
Or should we set headers as follows:
request({
url: '/auth',
headers: {
'secretKey': 's87ehwdiw8y3dhj'
}
});
Which method is more secured and why?
Ideally sending secret key isn't a good option. But if there is utmost need I would suggest you to send the key in the headers like:
request({
url: '/auth',
headers: {
'secretKey': 's87ehwdiw8y3dhj'
}
});
If you give a "secret key" to a browser, it's not secret anymore. Javascript in the browser is just too open to really keep a key secret.
As it is less visible, yet anyone can sniff it as it's just javascript.
Here are few links to enlighten you more: