coreyman Posted October 21, 2019 Report Posted October 21, 2019 Currently if you interact with the blesta API you have to send a plain text password to the API to become authorized - http://source-docs.blesta.com/class-Users.html Anyone able to eavesdrop on the conversation will learn the client’s secret. If the client is talking to the wrong server it reveals its secret to that potentially malicious server Are we solely relying on TLS to keep the communication secret? Quote
0 Tyson Posted October 21, 2019 Report Posted October 21, 2019 It's standard practice to use TLS over HTTP to secure payload transmissions. All API requests are expected to be made over HTTPS. The Blesta UI will also send plain-text passwords in POST requests from the browser to the server, just like every other web application. Any time you are dealing with sensitive information, requests should be transmitted over HTTPS. This not only includes all API requests, but all requests through Blesta in general since any log-in data or cookies should be secure too. Quote
Question
coreyman
Currently if you interact with the blesta API you have to send a plain text password to the API to become authorized - http://source-docs.blesta.com/class-Users.html
Are we solely relying on TLS to keep the communication secret?
1 answer to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.