We have a video streaming app that has a basic username/password authentication.
Accessing the application is done by going to rtsp://username:firstname.lastname@example.org:554/video
Infosec isn't a fan of this setup and has blocked the app due to the username and password in the URL. How can I make the application accessible while hiding the username and password in the URL?
I don't blame them. Username and password in the URL is a pretty basic security mistake. e.g. when you're passing via a proxy. After all the URL is going too be logged somewhere... In your history etc.
The only way you can mask it is by changing the application that's insecure enough to insist on user/pass in the URL for a decent one.
That's the conclusion I came to as well.