Brad Laney

I cannot use WebSocketSharp because it's missing the ability to customize authorization headers. I am trying to integrate with a WebSocket api that takes in OAuth2 bearer tokens.

@ricea That's not the main reason why you don't put authentication values in URLs. It's because of server logs. Auth tokens should be treated with the same security concern as...

@ricea sadly implementers don't get to make the decision of what is required to use an api. I am currently trying to use an api that REQUIRES oauth2 bearer tokens...

@ricea there is only personally-identifiable information in there if you aren't doing good practices. At most there should be an IP address, but you can opt to not record that...

@davidfowl Actually yes it is inherently less secure to send it via querystring. This is why the OAuth spec requires the credentials to be passed in headers or body, always....

@davidfowl I've given up the fight. I think we should fork, fix, and ignore this repository for life. I physically switched from c# to nodejs because of this. I don't...