coreyman Posted October 21, 2019 Report Share Posted October 21, 2019 Currently if you interact with the blesta API you have to send a plain text password to the API to become authorized - http://source-docs.blesta.com/class-Users.html Anyone able to eavesdrop on the conversation will learn the client’s secret. If the client is talking to the wrong server it reveals its secret to that potentially malicious server Are we solely relying on TLS to keep the communication secret? Quote Link to comment Share on other sites More sharing options...
0 Tyson Posted October 21, 2019 Report Share Posted October 21, 2019 It's standard practice to use TLS over HTTP to secure payload transmissions. All API requests are expected to be made over HTTPS. The Blesta UI will also send plain-text passwords in POST requests from the browser to the server, just like every other web application. Any time you are dealing with sensitive information, requests should be transmitted over HTTPS. This not only includes all API requests, but all requests through Blesta in general since any log-in data or cookies should be secure too. Quote Link to comment Share on other sites More sharing options...
Question
coreyman
Currently if you interact with the blesta API you have to send a plain text password to the API to become authorized - http://source-docs.blesta.com/class-Users.html
Are we solely relying on TLS to keep the communication secret?
Link to comment
Share on other sites
1 answer to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.