API calls are potentially unsafe

api
security

#1

I’d like to raise a possible security issue with the API, where the username and token are passed in the query string. This is visible in both ends of the call, and could be avoided with e.g. http headers or a POST request with body params.


#2

Thanks for bringing this up. Could send this as a message to security@circleci.com?

Tad Whitaker
Security Engineer


#3