Add a hideToken option to avoid sending the token via querystring

[BrunoCaimar]

• Our security scanning does not allow sending tokens via GET anymore
• Sending the token via the request header does not work because map services do not allow the preflight request

This can potentially fix #1364.

[patrickarlt]

@BrunoCaimar I took the day talk this through with internal teams at Esri. The consensus is that this behavior (token in the query string for GET requests) isn't really something we want to work around by making everything POST requests. The main issue is that POST requests are not cached anywhere in the system and this would defeat the work we have some to make feature layer requests tileable, cacheable and repeatable for the best performance. In the case of viral or heavily accessed feature services you would almost certainly run into rate limiting.

In order to hide the token in GET requests and still have the queries be cacheable we would need the server to properly handle preflighting OPTIONS requests. This could be done but it means that you double the number of requests and introduce another 150-200ms request-response cycle to do the preflightling which was judged as an unacceptable performance hit.

To mitigate this you can do the following:

• If you are accessing private user data use short lived tokens via oAuth 2.0 with PKCE. This will mean that tokens that do exist in logs are short lived in will likely be invalid by the time they could be used maliciously. This is the approach taken by the ArcGIS Maps SDK for JavaScript by default.
• If you are using API keys we recommend rotating keys on a regular basic for the same reasons above. We recommend this in our best practices
• If you using API Keys and want shorter expiration times for tokens you could switch to app credential authentication and generate a short lived token on the server to use on the client. Since these tokens expire quickly you can simply generate as many tokens as you need with short expiration.