|
|
|
|
|
|
by radlad
839 days ago
|
|
|
> how different is it really to have the "secret" be in the URL vs in a token you submit as part of the request for the URL? I'm not sure I grok this. Do you mean, for example, sending a token in the POST body, or as a cookie / other header? One disadvantage to having a secret in the URL, versus in a header or body, is that it can appear in web service logs, unless you use a URI fragment. Even then, the URL is visible to the user, and will live in their history and URL bar - from which they may copy and paste it elsewhere. |
|
|