Of all the new features in the latest version of Cascade Server, I’m most excited about the REST API. I’m a heavy user of the current Web Services API, but as a SOAP service it’s a hassle to use and doesn’t play nice with languages like Clojure.
The REST API can leak your username and password
I wanted to call out one thing I saw in the documentation, however — the Cascade Server REST API allows the client to pass their username and password in the URL. The documentation also implies that this is the “default” approach.
Passing credentials in the URL query string has long been understood to be poor security practice, and is called out by OWASP in both their vulnerabilities wiki and in their proposed list of 2017’s top web vulnerabilities.