I have to perform a web call and would like to use https, where a password must be provided. See below:
What is the best practice for storing and passing the password? I would not like to have it hard coded in the script or visible anywhere for that matter. Just trying to apply sound security practices, regardless of how small the risk may be.
Passing the password generally has to be in clear text within the https stream. On your end, it must therefore be stored in clear text somewhere, or reversibly encrypted. A good option is to place your credentials in JSON format in a file on your gateway with the file’s permissions set to allow only the gateway service to read it.
The protected JSON can work.
Brings me to another question:
What’s a good way of making the file location available to the scripts? I thought of making a parameter tag and just reading that.
I would read the file during script module startup from a fixed location, directly into a json object. Gateway scripts can then just access that object’s properties.