- If the api key for the electron service is supposed to stay secret, it would be better to do a POST request with the key in the post body, as that way it is much less likely to end up in log files.
|Resolved||Addshore||T150185 Deploy ElectronPdfService Extension to production|
|Resolved||Addshore||T149080 Security review for ElectronPdfService Extension|
|Declined||None||T149781 POST ElectronPdf extension service key rather than get|
@Tobi_WMDE_SW, we will provide a public REST API end point that you should send user requests to. Don't worry about using the electron service directly in production.
For testing, there is no need to keep the accesskey secret. Either way, requests will be simple GETs.
The POSTing the api key is not super important. It does make it much less likely for the key to be accidentally disclosed (via logs or whatever), but ultimately the security of the key isn't super important given what it is protecting, so if this issue is difficult to do, I think its ok to skip.