Forum Discussion

Zuke's avatar
Zuke
Icon for Cirrostratus rankCirrostratus
Dec 06, 2021

Hide Username and Password in URL

We have a video streaming app that has a basic username/password authentication.

 

Accessing the application is done by going to rtsp://username:password@example.com:554/video

 

Infosec isn't a fan of this setup and has blocked the app due to the username and password in the URL. How can I make the application accessible while hiding the username and password in the URL?

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    I don't blame them. Username and password in the URL is a pretty basic security mistake. e.g. when you're passing via a proxy. After all the URL is going too be logged somewhere... In your history etc.

     

    The only way you can mask it is by changing the application that's insecure enough to insist on user/pass in the URL for a decent one.

     

     

    • Zuke's avatar
      Zuke
      Icon for Cirrostratus rankCirrostratus

      That's the conclusion I came to as well.