I'm curious about what makes it a bad idea. What is the difference between sending it as a header compared to sending it as form data? If someone has access to headers, they probably also have access to the body.

Yeah you're right, that's definitely not the the most secure. Do you know of a more secure alternative I could try instead?

I'd suggest using forms.Form for a LoginForm containing e.g.

username = forms.CharField(max_length=150) password = forms.CharField(widget=forms.PasswordInput)

and then a view to instantiate form with request.POST (if request.POST) like:

form = LoginForm(request.POST)

and then if form.is_valid() you can clean data using

username = form.cleaned_data['username']

and the same for password.

Then:

user = authenticate(request, username=username, password=password)

and then check if user is not None then login(request, user)

Note that login and authenticate come from django.contrib.auth import authenticate, login

Hope that helps.

Thank you, Django Forms do look promising. I’ll definitely look into more secure alternatives to the current implementation.

...how is that more secure?