Hi everyone. I would like peoples opinion on the level of security achieved via the following cloud access methods. according to the users guide, you can pass you token to the cloud in one of 3 ways:
There are three ways to send your access token in a request.
- In an HTTP Authorization header (always works)
- In the URL query string (only works with GET requests)
- In the request body (only works for POST & PUT when body is URL-encoded)
I have created 3 Curl commands to implement each option. each command performs a different task, but the token is passed as described above.
- curl -H “Authorization: Bearer (token)” https://api.particle.io/v1/devices/(id)/digitalwrite -d “arg=D7,HIGH”
- curl https://api.particle.io/v1/devices/events?access_token=(token)
- curl https://api.particle.io/v1/devices/(id)/led -d “arg=off” -d access_token=(token)
Now, let’s ignore the pre-internet security (things like browser logs, local net sniffing, etc) and focus on just the https transfer between my server and particles server. Is any one of these methods more or less secure than the others?
My research shows that they are all relatively secure, but -H option is a little harder to intercept. Plus I am FAR from a security expert.
What are peoples thoughts on the matter?
Thanks for your time!