From IndieWeb
Jump to: navigation, search

The MetaWeblog API is an outdated (superseded by Micropub) XML-RPC based API for CRUD operations between blog client and server software that depends on username and password being entered into clients (instead of OAuth) and sent over HTTP (often not HTTPS) and thus creating a security vulnerability for users.


Aaron Parecki wrote an experimental MetaWeblog to Micropub gateway to translate the XML-RPC API requests to simpler Micropub requests.



The MetaWeblog API sends your username and password in plaintext in the body of the XML-RPC request. Anyone listening to the communication between your client and server is able to get your password. Ideally, one would not be using MetaWeblog to post entries over public wifi (say, on a smartphone).

Authentication at the application level is a layer violation. The Atom Publishing Protocol does not have plaintext username/password transmission but delegates authentication to HTTP.

See Also