Header("Location: [URL]").....is it safe?

Question

Currently, for authentication for my Facebook App, I'm doing the following in PHP:

if($_GET["code"] == null) 
        {
            Header("Location: https://graph.facebook.com/oauth/authorize?
                    client_id=[MY_APP_ID]&     
                    redirect_uri=[THIS_CURRENT_URL]&     
                    scope=publish_stream");

            exit();
        }
        else if($_GET["access_token"] == null)
        {  
            $code = $_GET["code"];
            Header("Location: https://graph.facebook.com/oauth/access_token?
            client_id=[MY_APP_ID]&
            redirect_uri=[THIS_CURRENT_URL]&
            client_secret=[MY_APP_SECRET]&
            code=$code");       

            exit(); 
        }
        else       
        {                
            echo($_GET["access_token"]);
        }

Is this safe/proper? Couldn't a malicious user just "intercept" the redirects and see my App ID and App Secret?

Answer 1

This is the textbook definition of unsafe. The Location: header, like all headers, is sent to the user's browser, with the explicit purpose of making that data known to the user's browser. The content of the header will be available to any user running a debugging proxy (like Charles or FireBug) and, I strongly suspect, in the browser's address bar as well.

It's perfectly acceptable to send data this way if the user is allowed to see that data (this is often the case for single sign on applications), but the application secret is almost certainly not acceptable.

Consider using curl for connecting directly to the Facebook server instead.