|
|
|
|
|
|
by mmalone
3315 days ago
|
|
|
For webapp <=> API it's pretty much the same as any other header, but with a subtle semantic indication that the value associated with the header is being used for authentication. Generally the value is a password or a bearer token. The problem is that this token is usually not channel bound (can be stripped and used elsewhere) and often has broad authorization associated with it. The security characteristics depend on lots of details. Usually when people say not to use HTTP Auth they mean don't send the username / password in base64 encoded cleartext over the open internet, as suggested by early HTTP RFCs. |
|
|