ArcGIS 10.1 for Server (Windows) - Disabling token acquisition through HTTP GET requests

Note:

This functionality is available as part of the ArcGIS 10.1 SP1 for Server Security Patch (September 2013). You'll need to download and install the patch in order to disable token acquisition through HTTP GET requests.

When using ArcGIS token-based authentication, you can acquire a token through an HTTP GET request. Although this is a convenient method of acquiring a token, a user's credentials are provided as part of the URL and may be stored in browser history or in network components.

If you are concerned about the security implications of acquiring a token through an HTTP GET request, you can disable this feature by following the steps below.

Steps:

Log in to the ArcGIS Server Administrator Directory. The URL is formatted http://gisserver.domain.com:6080/arcgis/admin.
Click security > tokens > update.
In the Token Manager Configuration dialog box, add a comma (,) to the end of the "shortTimeout": "60" property.

Add "allowHttpGet": "false" to the end of the list of existing property values, for example:

{
  "type": "BUILTIN",
  "properties": {
    "longTimeout": "1440",
    "sharedKey": "VYHyatfGUlFWHgnAVMEc40nL1rn7s+l190vtgMjCx3c=",
    "shortTimeout": "60",
    "allowHttpGet": "false"
  }
}

Click Update.

12/18/2014