I have made a website where I can log in to Facebook. When I have logged into Facebook, I can e.g. do a search. This search requires me to pass along the access token to the server.
I was wondering how the security around this should be implemented. It is very easy to pick up the access token if I just pass it a long as a plain parameter to the server side request.
How should you pass the access token to the server?
Right now I'm just passing it as an url encoded parameter. The server runs on node and express.
EDIT: I see Facebook is just passing it as an url parameter in their Graph API Explorer as well, so maybe it's just the way to go.