You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm unsure why Facebook don't enforce this by default but for security reasons the access_token parameter which is currently sent in the urls query parameters should instead be passed in the Authorisation header e.g.
curl -i -X GET --header "Authorization: Bearer MYTOKEN" \
"https://graph.facebook.com/v3.2/me?fields=id%2Cname"
We have to add some kind of flag to switch between the current query parameter and the new header field. So the developer can decide. After some releases we can switch to the header parameter as default :)
I'm unsure why Facebook don't enforce this by default but for security reasons the
access_token
parameter which is currently sent in the urls query parameters should instead be passed in the Authorisation header e.g.This is supported by the api but all of their documentation passes it in the url query parameters.
https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
Would love to hear thoughts.
The text was updated successfully, but these errors were encountered: