tls – Server to Server HTTP Authentication


I’m designing an API, and had some quick questions about HTTP authentication and security.

The API will involve two web servers, one of which I am the developer of (let’s call it Server 1). The server that I am interested to retrieve data from, unfortunately, is one I do not have control over (Server 2).

In order to retrieve data from Server 2, a ‘user’ needs to log in first. This is performed with basic HTTP authentication.

My question is: Are there any serious security vulnerabilities present if I send a username and password (contained in JSON) in the body of a POST request from Server 1 to Server 2 in order to log a ‘user’ in and create a session? The username and password would be safely contained in config variables until they are sent in the POST request. Both servers use SSL, so the messages should be encrypted.

As I do not have control over Server 2, this is the only way I can think of to create this API, without requesting development on Server 2.

I would think this is basically the same as using a regular HTML form to log in to a service using username/password, but I wanted to get confirmation from the community.

Thank you very much.