Is there any way of using the HTTP API without putting credentials (in plain text) in URL parameters? I'm a little baffled that this is even allowed. This is a security faux pas as literally anyone in between the request initiator and the PRTG endpoint will have the credentials.
I would expect to pass them in as part of the body or as part of the headers.
Is this possible?
Article Comments
Hey Erhard,
This doesn't really solve the issue that Justin was flagging AFAICT. The point Justin was making is that the urls all contain the username and password for each request. URLs are useful debugging tools and often get logged, so having creds, even hashed creds that work for an extended duration, in the URL is not a common practice. Any use of the PRTG api requires end users to be meticulous about avoiding logging URLs.
Does that make sense?
Todd
Sep, 2021 - Permalink
Hello Justin,
Use parameter passhash instead of password in the API call. You can find the passhash in your user account's settings (Setup | Account Settings | My Account). It can only be used to run API calls, but not for logging in to PRTG's webinterface.
Kind regards,
Erhard
Jan, 2018 - Permalink