Box file download calls expose API token in query parameters
Closed this issue · 1 comments
This issue has been flagged by our teams utilizing the explorer element to interact with content stored in box. We have noticed that there are situations where a download URL is generated that exposes the API token within the URL query parameters. Internally we have this flagged as a security risk violating best practices.
box-ui-elements/src/api/File.js
Line 82 in 7e4fa66
It seems this issue can be resolved by simply removing the token from being exposed in the query parameter and shifting this into the authorization header.
We are aware that this may appear as a security issue but there are counter measures that will reduce risk of the situation where you can utilize the URL for X amount of time. Please contact customer service to know how exactly you can reduce the risk.