Answer the question
In order to leave comments, you need to log in
Is it safe/correct to pass the login and password in the header over the HTTPS protocol?
Request example:
curl -H "username: user" -H " password:12345 " https://mysite.com
Another question is whether it is possible to intercept these headers by listening to traffic.
I would like to get a detailed answer about the security of this approach.
I know about OAUTH and tokens.
Answer the question
In order to leave comments, you need to log in
Never fence self-made cryptography and authorization methods, if you are not a cryptographer and not an appsec specialist, respectively, use standard approaches and proven libraries. In your case, you need to use HTTP basic authorization and the standard mechanisms that implement it.
The answer is yes, right. All web services do this - Google, FB, and 99% of the rest.
This is not ideal, so they try to supplement with an MFA (additional one-time password) or a certificate, but in general there is nothing more reliable and easy to use .
is not safe and not correct, and the point is not that all HTTPS headers are encrypted, it’s just that according to security rules, you don’t need to transfer the password at all, you need to transfer its hash sum, so the server will know that the password is correct, but the password itself will not be known either anyone other than the author
In short: Safe and so far the standard approach. Yes, you can intercept the password, and depending on the browser, the user will not know that his SSL / TLS "reads" something in the middle.
If Expanded, then it is now in fashion to use a different approach - on the browser side, using JScript / Subtle crypt, generate a hash / PBKDF from the password and transfer it to the server. The server, in turn, must also generate a secondary hash from this value, and it can already be stored / searched in the database for user authentication. And there is no way to store the primary hash on the server! but it can be used for other purposes, such as de-encrypting data for the 2FA method.
And since your front will already use JScript/Subtle crypt, this opens up additional possibilities for end-to-end encryption of a wider set of user data in end-to-end encryption mode.
see how the mega.nz service is made. they have open source.
First, the regex itself is a curve.
Secondly:
preg_match('/window\.runParams\.imageBigViewURL=\[\s*(.+?)\s*\]/isu', $page, $matches);
1. We are looking for a block with photos - https://regex101.com/r/bP4bJ0/1
2. We pull out links from the found one - https://regex101.com/r/kR2yQ8/1
I did not manage to do all this with one expression. Maybe regular season gurus will come up with something better.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question