used in APIs. The downfall of basic authentication is that
the credentials are passed unencrypted. This means that
if the transport is simple HTTP, it is possible to sniff the
traffic and capture the username and password with little
to no effort. The lack of encryption means that the
credentials are in simple plaintext base 64 encoding in
the HTTP header. However, basic authentication is more
commonly used with SSL or TLS to prevent such attacks.
Figure 6-4 Basic Authentication Example
Another big issue with basic authentication is that the
password is sent back and forth with each request, which
increases the opportunity for an attacker to capture the
traffic containing the password. This is yet another
reason to use encryption on this type of transaction.
API Keys
Some APIs use API keys for authentication. An API key
is a predetermined string that is passed from the client to
the server. It is intended to be a pre-shared secret and
should not be well known or easy to guess because it
functions just like a password. Anyone with this key can
access the API in question and can potentially cause a
major outage and gain access to critical or sensitive data.
An API key can be passed to the server in three different
ways:
String
Request header
CookieExample 6-1 provides an example of a string-based API
key. This type of API key is sent with every API call and is
often used as a one-off method of authentication. When