HTTP authentication

• ??? don’t do manually, best practices continually evolve

can use symmetric key as query parameter, or header, or body somehow

can obtain symmetric key by sending username and password over HTTPS, e.g. form can store symmetric key in a cookie

API

• traditionally used a secret key
• modern way is using OAuth 2.0

API keys

• never hardcode into source code, instead use environment variables
• can set environment variables
  • remotely: save in UI, e.g. GitHub, Netlify, etc.
  • locally (single use): provide as command-line arguments
  • locally (multiple use): create .env file that’s excluded from VCS with keys, write script that loads content and sets environment variables, e.g. dotenv module
• beware: always document required environment variables, e.g. create sample.env that’s not excluded from VCS with sample keys ❗️
• beware: on client has no environment variables, needs to use proxy server that does request on its behalf, e.g. FaaS ❗️

Resources

• Nate Barbettini - OAuth 2.0 and OpenID Connect (in plain English)