box/box-ui-elements

Box file download calls expose API token in query parameters

Closed this issue · 1 comments

This issue has been flagged by our teams utilizing the explorer element to interact with content stored in box. We have noticed that there are situations where a download URL is generated that exposes the API token within the URL query parameters. Internally we have this flagged as a security risk violating best practices.

const downloadUrlParams = { ...query, access_token: token };

It seems this issue can be resolved by simply removing the token from being exposed in the query parameter and shifting this into the authorization header.

https://developer.box.com/reference/get-files-id-content/

We are aware that this may appear as a security issue but there are counter measures that will reduce risk of the situation where you can utilize the URL for X amount of time. Please contact customer service to know how exactly you can reduce the risk.