When looking at the differences between X-Auth-Token vs Authorization headers, which is preferred?

Authorization is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235. It is often linked to the Basic authentication scheme as per RFC 7617, but that is not a given.

The Basic scheme allows clients to provide a username-password-pair separated by a colon (:) coded in Base64. It cannot be stressed enough that this is a transport coding that provides no real security benefits. E.g. the example given by you can trivially be ‘decrypted’ into Aladdin:open sesame.

Through the IANA HTTP Authentication Scheme Registry (see also: RFC 7235, sec. 5.1) you will find the Bearer scheme (defined in RFC 6750), which is closely tied to OAuth 2.0. X-Auth-Token is pretty much providing a shortcut here as it (presumably) does not rely on either OAuth or the HTTP authentication framework.

Please note that with X-Auth-Token being an unregistered header, it is subject to no formal specification and its presence and content is always tied to a respective application. No general assumptions can be made on it.

Related Posts:

  1. Do I need Content-Type: application/octet-stream for file download?
  2. application/x-www-form-urlencoded or multipart/form-data?
  3. application/x-www-form-urlencoded or multipart/form-data?
  4. “CAUTION: provisional headers are shown” in Chrome debugger
  5. What are all the possible values for HTTP “Content-Type” header?
  6. Are HTTP headers case-sensitive?
  7. Human readable format for http headers with tcpdump
  8. Should a 502 HTTP status code be used if a proxy receives no response at all?
  9. What is the difference between a URI, a URL and a URN?
  10. HTTP Status 504
  11. What is the difference between POST and GET? [duplicate]
  12. Problem HTTP error 403 in Python 3 Web Scraping
  13. Problem HTTP error 403 in Python 3 Web Scraping
  14. Is 418 “I’m a teapot” really an HTTP response code?
  15. How to define the basic HTTP authentication using cURL correctly?
  16. How to define the basic HTTP authentication using cURL correctly?
  17. “Cannot GET /” with Connect on Node.js
  18. Possible reason for NGINX 499 error codes
  19. @ converted to %40 in HTTPPost request
  20. What’s the difference between a POST and a PUT HTTP REQUEST?
  21. What does HTTP/1.1 302 mean exactly?
  22. How do I send a POST request with PHP?
  23. Why is it said that “HTTP is a stateless protocol”?
  24. What’s the difference between using application/csv vs text/csv? [duplicate]
  25. What is the difference between PUT, POST and PATCH?
  26. What’s the difference between “Request Payload” vs “Form Data” as seen in Chrome dev tools Network tab
  27. Exception in thread “main” java.net.NoRouteToHostException: No route to host
  28. ndroid 8: Cleartext HTTP traffic not permitted
  29. WebException (Status: Protocol Error)
  30. Can PHP cURL retrieve response headers AND body in a single request?
  31. Setting Curl’s Timeout in PHP
  32. How are parameters sent in an HTTP POST request?
  33. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  34. wget: unable to resolve host address `http’
  35. WordPress HTTP parameter pollution
  36. Does WordPress send data about your blog to WordPress.org or Automattic?
  37. Hiding WordPress REST API v2 endpoints from public viewing
  38. Does WordPress only support HTTP 1.1?
  39. How do I troubleshoot responses with WP HTTP API?
  40. Is curl required?
  41. The resource was preloaded using link preload but not used within a few seconds
  42. using wp_remote_get to retrieve own url on local host
  43. Using wp-cron in backpress – problems with wp_remote_post, fsockopen error
  44. Running index.php from command line & load balancer health checks
  45. Enable CORS in wordpress
  46. Change port of wordpress
  47. How to get value of custom http header?
  48. Several times request to load plugins when sending one request
  49. why is $_REQUESt[‘redirect_to’] empty?
  50. Get “HTTP/1.1 406 Not Acceptable” when accesing my website with Delphi Indy Control
  51. WordPress HTTP 500 Error “page isn’t working”
  52. What’s the point in having “www” in a URL?
  53. For what is the “.well-known”-folder?
  54. How to make wireshark filter POST-requests only?
  55. Image file urls still point to http instead of https
  56. What is the difference between POST and PUT in HTTP?
  57. How to send a header using a HTTP request through a cURL call?
  58. What is the correct JSON content type?
  59. How to do a PUT request with cURL?
  60. Significance of port 3000 in Express apps
  61. How do I pull from a Git repository through an HTTP proxy?
  62. What does vary:accept-encoding mean?
  63. Uri not Absolute exception getting while calling Restful Webservice
  64. How do I POST JSON data with cURL?
  65. HTTP GET with request body
  66. urllib2.HTTPError: HTTP Error 403: Forbidden
  67. Response Content type as CSV
  68. HTTP status code 0 – Error Domain=NSURLErrorDomain?
  69. How do I use the ‘http_request_host_is_external’ filter
  70. Clarity needed on usage of multiple 403 forbidden header() functions at the beginning of the plugin files
  71. force http canonical tag on https pages
  72. How can I use CURLOPT_USERPWD in wp_remote_post?
  73. Upgrade to SSL Breaks Admin Dashboard
  74. How can I change HTTP headers only to posts of a specific category from a plugin
  75. How to get title tag of an external page with http api?
  76. Can I use HTTP POSTs? Is there a better alternative?
  77. How To Reset Ownership And Permissions of Wp-Content Folder, In Order to Fix HTTP Error When Uploading Images to WordPress Media Library
  78. wordpress api using rest_route for other pages
  79. Is there an equivalent to WP_Error object I can return in the case of a successful REST request?
  80. No ‘Access-Control-Allow-Origin’ header is present [closed]
  81. Redirect HTTP to HTTPS for all sub domains (blog posts)
  82. How to use https on one page only?
  83. How to make my site use HTTPS for images or how to insert images as relative paths?
  84. 404/500 error on content images if Referer header is from another domain [closed]
  85. Implementing a URL Shortener
  86. Last-Modified header support doesn’t speed up server processing – want more
  87. Why does WP HTTP API switch the method (POST/PURGE) to GET when redirecting (302)?
  88. Need workaround for insecure XMLHttpRequest endpoint request
  89. What is this HTTP_REFERRER “WordPress/4.1.2”
  90. How exactly does WordPress load themes from api.wordpress.org?
  91. Configure WordPress to listen on a port other than 80
  92. How to switch static files back to using HTTP instead of HTTPS?
  93. throttle/limit a logged in user’s http requests to specific page on a per day basis
  94. CSS/JS is not working in multi lang installation
  95. Does WordPress perform better with curl installed?
  96. Any idea on how to fix this error when forcing SSL on a certain page?
  97. Random HTTP 500 error in WordPress
  98. Nice font not working when http to https – SSL Issue
  99. How to list Apache enabled modules?
  100. How do you modify HTTP response headers on feed/?

Leave a Comment