Question
I created a simple REST API in PHP. The client is a mobile application written in Adobe Air. Anytime I developed an API, I used HTTPS and some basic header like X-Api-Secret, which was a secret both sides agreed on.
However Adobe Air is not able to send custom headers in GET requests.
From Adobe Air documation:
Due to browser limitations, custom HTTP request headers are only supported for POST requests, not for GET requests.
Should the mobile app send the secret as GET parameter? Or is there nicer solution?
Solution
Sending your key in the GET request as a special parameter is fine. It doesn't make things anymore secure just because you sent your data as a header in a POST request. Most APIs will accept the application key in a GET parameter (ex-trello).
If there is something vitally secret that you don't want anyone else to find, then you don't want to keep it stored on the mobile app anyway because someone decompiling the app will be able to find it.
https://stackoverflow.com/questions/23155209
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian