ACSP Suggestion 2022.5: Alternative to API Token in REST calls


Author: Anonymous   
Submitted On: 11 February 2022


Alternative to sending API Token as URL parameter in REST calls.

Either sending as POST form data or as an HTTP header field would be preferable as those should not tend to be logged in production systems.

Some other implementations of REST interfaces are using X-CSRFToken in the HTTP header field.

e.g. curl -H “X-CSRFToken: $myToken” -X GET https://my.fqdn/noun

Value to Community: Logging systems often log the entire URL and hence unnecessarily expose the API token to anyone with access to and reading the logs. This could accidentally lead to a security incident caused by unauthorized access to ARIN resources from a valid hijacked token.

Timeframe: Not specified

Status: Open   Updated: 23 February 2022

Tracking Information

ARIN Comment

23 February 2022

Thank you for your suggestion, numbered 2022.5 on confirmed receipt, requesting that we consider alternatives to sending the API token as a URL parameter in REST calls to improve security. We agree that a change of this type would improve security. In evaluating this suggestion, we have determined that making the change to send the API token as part of the HTTP header field would be the best solution as it will also allow ARIN to support this new feature as well as the current query parameter. We will place this suggestion on the list for prioritization for the 2023 Engineering Roadmap.

Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.