Access tokens should be sent in request headers

[StephenFlavin]

I'm unsure why Facebook don't enforce this by default but for security reasons the access_token parameter which is currently sent in the urls query parameters should instead be passed in the Authorisation header e.g.

curl -i -X GET --header "Authorization: Bearer MYTOKEN" \
 "https://graph.facebook.com/v3.2/me?fields=id%2Cname"

This is supported by the api but all of their documentation passes it in the url query parameters.
https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

Would love to hear thoughts.

[nbartels]

Yes, I think this is an important change.

We have to add some kind of flag to switch between the current query parameter and the new header field. So the developer can decide. After some releases we can switch to the header parameter as default :)

[StephenFlavin]

I'm unsure if there is a way to send the secret proof this way too, might be worth raising with FB support.

[nbartels]

The DefaultFacebookClient has a new method setHeaderAuthorization. This flag switches between query parameter (default) and header authorization.

This will be available with the next version and it would be great if you can give it a try.