Basic auth on HTTPS is OK. (#79)

2017-07-29 00:18:07 +03:00 · 2017-07-29 00:18:07 +03:00 · 479621190e
commit 479621190e
parent 7880278c38
1 changed files with 1 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -660,7 +660,7 @@ The **client app did something wrong** or The **API did something wrong**.
 ### 9.2 API security
 These are some basic security best practices:

-* Don't use basic authentication. Authentication tokens must not be transmitted in the URL: `GET /users/123?token=asdf....`
+* Don't use basic authentication unless over a secure connection (HTTPS). Authentication tokens must not be transmitted in the URL: `GET /users/123?token=asdf....`

    _Why:_
    > Because Token, or user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. [read more...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication)