Does TrueSight accept Rest API call credentials in plain text? Our security team is concerned that the REST Api calls show passwords in plain text. |
When it is being communicated to the server, the request would be transmitted over https, so it is going to be encrypted (don’t use http if ever passing credentials). From https://www.owasp.org/index.php/REST_Security_Cheat_Sheet “Secure REST services must only provide HTTPS endpoints. This protects authentication credentials in transit, for example passwords, API keys or JSON Web Tokens”… Sending a password in the body of a post to a login call (to retrieve a token, so you just have to authenticate once at the beginning, rather than each time via Basic auth) is a standard way for authentication with REST api’s (there are other ways).. Properly handling of the password within the script/variables is necessary, and transmitting over https secures it during transmission. Authentication calls should be done using HTTPS. Our call accepts credentials in the request body and over HTTPS is secure. Be sure to use the authToken for further REST communication. |