6

Is there a difference between using a "Bearer" Authorization header and using a custom header? For example, the "Basic" Authorization header is different from a custom header because browsers treat "Basic" Authorization headers as a special case (some browsers cache the "Basic" Authorization header). In other words, is "Bearer" just an arbitrary string or do browsers know about it?

If I don't want future browsers to cache my bearer token, should I be safe and use a custom header?

For example, is there a difference between these (assuming my server can handle both):

header('Authorization: Bearer 12345');
header('Mysite-Bearer-Token: 12345');
Leo Jiang
  • 24,497
  • 49
  • 154
  • 284

1 Answers1

2

Bearer token is defined by OAuth 2.0. You can get more details from https://www.rfc-editor.org/rfc/rfc6750.

Community
  • 1
  • 1
Kaneg
  • 511
  • 3
  • 9
  • OAuth is merely a protocol on top of HTTP, the browser doesn't have to do anything special with the `Bearer` token. I awarded the bounty because it's the only answer. – Leo Jiang Mar 20 '16 at 21:17