Plugin Author
nicu_m
(@nicu_m)
Hello @quantafire,
You’re perfectly right and I agree with you.
The sample generated URL from the plugin is just an example that shows the endpoint and the available parameters.
I also suggest that the parameters should be not added to the URL. You can add the parameters in the post body, and you will have the same result.
Also, my guess is that, when you try to create users, you will generate a form ( or an ajax call ), that calls the URL and add the parameters in the body of the request( not in the URL).
To answer your question, I say “yes”, the plugin is secure. Also, I’ve added an info box in the create users section, where I suggest that the admins should use “Auth Code” when they create users. This Auth Code acts like an “API KEY” and can be set to expire after a certain period of time.
Also, the safest way to create users is to make a server-to-server call. You generate a form, with “captcha” on it, and, on form submit, you make the call to the plugin endpoint with the “Auth Code”. This auth code for creating users, should also not be visible to the end client.
Best regards,
Nicu.
Hello… in fact this is half correct :
1. HTTP : Insecure
All what you send with plain HTTP is just readable as is… So anything in URL (or in body) can be tracked fairly easily. Body just a little more complicated…
2. HTTPS : Secure
Encryption is exactly what the ‘S’ guaranties when passing anything in URL as well as in body or so.
CONCLUSION :
To be secure, I would strongly suggest you get a SSL certificate (easily got for free), and go with HTTPS.
Here a little link about it.