Is it possible to use a secret/SecureString in Netsuite in the header of a https.post?

Yes, I think that’s the primary use case.

I see in the docs that the url accepts a SecureString. Can the header object contain secure strings as well?

Yes, we use it to pass values in the Authorization header.

Probably not so secure

Correct. That would probably mean you have secrets stored in code.

Hmm, I want them to be stored as secrets, and I don't need to be able to “see” them in the code. But I need to add them to the http header

Yep, you can pull the key from the secrets store https.createSecureString(). You can pass the ID of the secret into that method. https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4418247678.html

Found a sample in suiteanswers that essentialy does what I want. 👍

It’s my understanding that secrets cannot be logged within NetSuite. I think I’ve tried to log a header object after a secret has been appended and the secret was not visible in the log. But, you’re right that there’s not much you can do if someone has access to your system. They could setup a remote HTTP server and send a request to it and capture the secret that way.

the point of the secrets is to make it so that the script doesnt actually have access to the secret

Yeah, but if you can change the script then you can change the target server. (unless the secret is bound to a domain)

the obvious answer here being restrict the domain

haha, yup

the older version of secrets used to be more restrictive and forced you to choose domains and scripts