Forum Discussion

Adam_Hahn's avatar
9 years ago

Secure Transmission of API Passwords

Currently when communicating with the Logic Monitor API, passwords are required to be sent via Plaintext in the URL. This results in the username/password of the api account being intercepted anywhere logging of the URL occurs(proxies/network logging/etc).

Additionally, since LM treats API users like any other user, having the user/pass in plaintext permits anyone who sees the URL to log into the LM web interface as the API user and see or do anything the API user can do.

This can be prevented by making some relatively simple changes to the API handler.

1) Permit the arguments of a API request to be made via POST instead of GET

HTTPS POST requests will ensure that the vars are encrypted with the rest of the HTTPS request.

2) Permit hashing of the password

This prevents those who see the password from being able to access the LM web-interface and obfuscates the clear-text version of the password.

PS: Call me paranoid if you want, but communication with the LM API is done over the public internet and plaintext passwords make me nervous :/

  • Sarah_Terry's avatar
    Sarah_Terry
    Icon for Product Manager rankProduct Manager

    All of our API requests are transmitted over SSL, so passwords are never sent in plaintext. Our new REST API, which we are starting to publish, uses Basic Authentication over SSL and will permit requests via POST.