From 224b0543a7ea0ab273d5cc010cf3a6abf9c49291 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Wed, 13 Mar 2019 10:32:33 +0100 Subject: [PATCH 1/2] Make that paragraph a note. --- docs/source/authentication.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 6ffbd1944..5737ad903 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -341,8 +341,10 @@ third party service to integrate with |st2| and this service doesn't allow you t headers), you can provide it as a query parameter named ``x-auth-token`` and ``st2-api-key`` respectively. -Keep in mind that using HTTP header is preferred since some web servers and third party services -log query parameters which are sent with each request, which could be a security risk. +.. note:: + + Keep in mind that using HTTP header is preferred since some web servers and third party services + log query parameters which are sent with each request, which could be a security risk. Here's some examples of how to send authentication token and API key in the headers, and as a query parameter using ``curl``: From 4c280b0412c4badbedbcd7ea76dedb9bc5699ee8 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Wed, 13 Mar 2019 17:12:59 +0100 Subject: [PATCH 2/2] Reword it. --- docs/source/authentication.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 5737ad903..916f53e70 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -344,7 +344,8 @@ respectively. .. note:: Keep in mind that using HTTP header is preferred since some web servers and third party services - log query parameters which are sent with each request, which could be a security risk. + log query parameters which are sent with each request. This could lead to auth token / api key + exposure and potentially pose a security risk. Here's some examples of how to send authentication token and API key in the headers, and as a query parameter using ``curl``: