2 weeks ago
I tried submitting this to ShipStation support and they suggested I post it here.
When ShipStation calls our web endpoint using the GET method, it includes our API credentials (SS-UserName, SS-Password) within the querystring data instead of just leaving them in the authentication header. The problem with this is that our webserver log files are now full of entries that display our api username/password in cleartext (see below - data changed to "*").
2024-08-08 02:48:38 172.30.5.66 GET /v1/17032/shipstation SS-UserName=******&SS-Password=*******&action=export&start_date=08%2f07%2f2024+17%3a47&end_date=08%2f08%2f2024+19%3a48&page=1 443 - 34.200.1.155 ShipStation - 200 0 0 49
This is a security no-no, so I'd like to have the option to turn off embedding credentials wtihin the querystring in ShipStation.
2 weeks ago
Hello @prslicensing!
Thank you for reaching out to the community! We appreciate you bringing this to our attention, and I’ve shared this concern with the development team for further investigation.
Happy Shipping!
-Cara