API Key as a query string parameter is a security risk, right?

I’m working with the Discourse API, and have learned that in order to perform a GET one must include the API key and API username in the URL as a parameter:

curl -X GET "http://127.0.0.1:3000/admin/users/list/active.json?api_key=714552c6148e1617aeab526d0606184b94a80ec048fc09894ff1a72b740c5f19&api_username=discourse1"

One of the calls I’m making is:

https://community.example.com/admin/users/list/active.json?filter=test&show_emails=false&order=&ascending=&_=123123123123

If you change show_emails to true, then you are exposing personal information.

Furthermore, if someone where to log HTTP traffic and gain access to your API key and admin user, they could pretty much do anything they wanted to your community.

I tried putting the API key in the header instead, but that didn’t work.

Am I I’m missing something, or is there a security risk to using the API with GET?

1 Like

Having the API key in the header instead of a query parameter won’t help security-wise :wink:

If you use https, you should be good.

7 Likes

@zogstrip thank you for your reply. I tried putting the API key and API user in the header because when the request is made over HTTPS, that data is encrypted.

However after further research, I found that even query string parameters are encrypted when accessing the API over HTTPS, although it’s not encouraged since the URLs with the query string parameters may still live in the web server logs in clear text. There does appear to be a way to filter this sensitive data out on Rails applications.

1 Like

I am totally open to extending it so we also accept api key and api username via HTTP headers if supplied. That is how we do it for client API.

3 Likes

FTR, using HTTP headers has been added a while ago!

curl -H "Api-Key: 123..." -H "Api-Username: system" "https://meta.discourse.org/latest.json"
3 Likes