cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Security issue with Custom Store API

prslicensing
First-timer

I tried submitting this to ShipStation support and they suggested I post it here.

When ShipStation calls our web endpoint using the GET method, it includes our API credentials (SS-UserName, SS-Password) within the querystring data instead of just leaving them in the authentication header. The problem with this is that our webserver log files are now full of entries that display our api username/password in cleartext (see below - data changed to "*"). 

2024-08-08 02:48:38 172.30.5.66 GET /v1/17032/shipstation SS-UserName=******&SS-Password=*******&action=export&start_date=08%2f07%2f2024+17%3a47&end_date=08%2f08%2f2024+19%3a48&page=1 443 - 34.200.1.155 ShipStation - 200 0 0 49

This is a security no-no, so I'd like to have the option to turn off embedding credentials wtihin the querystring in ShipStation.

1 REPLY 1

CaraAdmin
Khoros

Hello @prslicensing!

 

Thank you for reaching out to the community! We appreciate you bringing this to our attention, and Iโ€™ve shared this concern with the development team for further investigation. 

 

Happy Shipping!

 

-Cara