I am messing around with building an angular app front end that talks to a REST API (.net core). The question I have at the moment relates to how should I handle sensitive information (username/password) when I post the data to the api?
As an example what I have now is a front end that submits the username/password as plain text in the body of the request. This seems bad and doesn't feel secure AT ALL to me because if you have you dev tools open you can see the creds in the body of the post like so:
{
"username": "test",
"password": "test"
}
Then on the back end I do this and compare the result with what is saved in a db:
string hash = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: password,
salt: salt,
prf: KeyDerivationPrf.HMACSHA1,
iterationCount: 10000,
numBytesRequested: 128 / 8
));
If its a match I send back a token and Bob's Your Uncle, you're logged in.
How can I send the creds from my UI -> API in a better way?
Thanks!
Sending username and password is mostly done my executing a Http post.
Running your app on ssl (Https) makes sure your data transfer cannot be intercepted.