diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index dba8778..af6b7cf 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -28,6 +28,12 @@ Changelog
 
 **Changes**:
 
+- *Backwards Incompatible:* API key is now being sent in the X-Redmine-API-Key header instead of the key GET
+  parameter which makes things more secure in case of a failed connection, but it might created issues for servers
+  that don't do custom request header forwarding by default, so be sure to check your web server before upgrading
+  (`Issue #328 <https://github.com/maxtepkeev/python-redmine/issues/328>`__ and
+  `Issue #330 <https://github.com/maxtepkeev/python-redmine/issues/330>`__) (thanks to `Tom Misilo <https://github.com/misilot>`__
+  and `Ricardo Branco <https://github.com/ricardobranco777>`__)
 - *Backwards Incompatible:* User ``all`` operation now really returns all users, i.e. not only active, but locked,
   registered and anonymous as well instead of only returning just active users in previous versions due to the
   respect to Redmine's standard behaviour (`Issue #327 <https://github.com/maxtepkeev/python-redmine/issues/327>`__)
diff --git a/tests/test_engines.py b/tests/test_engines.py
index e544342..16d59b4 100644
--- a/tests/test_engines.py
+++ b/tests/test_engines.py
@@ -8,7 +8,7 @@
 class BaseEngineTestCase(BaseRedmineTestCase):
     def test_engine_init(self):
         redmine = Redmine(self.url, key='123', impersonate='jsmith', requests={'foo': 'bar'})
-        self.assertEqual(redmine.engine.requests['params']['key'], '123')
+        self.assertEqual(redmine.engine.requests['headers']['X-Redmine-API-Key'], '123')
         self.assertEqual(redmine.engine.requests['headers']['X-Redmine-Switch-User'], 'jsmith')
         self.assertEqual(redmine.engine.requests['foo'], 'bar')
         redmine = Redmine(self.url, username='john', password='qwerty')
diff --git a/tests/test_redmine.py b/tests/test_redmine.py
index 4dda79a..8410e01 100644
--- a/tests/test_redmine.py
+++ b/tests/test_redmine.py
@@ -41,8 +41,8 @@ def test_session_impersonate(self):
 
     def test_session_key(self):
         with self.redmine.session(key='opa'):
-            self.assertEqual(self.redmine.engine.requests['params']['key'], 'opa')
-        self.assertRaises(KeyError, lambda: self.redmine.engine.requests['params']['key'])
+            self.assertEqual(self.redmine.engine.requests['headers']['X-Redmine-API-Key'], 'opa')
+        self.assertRaises(KeyError, lambda: self.redmine.engine.requests['headers']['X-Redmine-API-Key'])
 
     def test_session_username_password(self):
         with self.redmine.session(username='john', password='smith'):
@@ -53,7 +53,8 @@ def test_session_requests(self):
         self.redmine.engine.requests['cert'] = ('bar', 'baz')
         requests = {'verify': False, 'timeout': 2, 'cert': ('foo', 'bar'), 'params': {'foo': 'bar'}}
         with self.redmine.session(key='secret', requests=requests):
-            self.assertEqual(self.redmine.engine.requests['params'], dict(key='secret', **requests['params']))
+            self.assertEqual(self.redmine.engine.requests['headers'], {'X-Redmine-API-Key': 'secret'})
+            self.assertEqual(self.redmine.engine.requests['params'], requests['params'])
             self.assertEqual(self.redmine.engine.requests['verify'], requests['verify'])
             self.assertEqual(self.redmine.engine.requests['timeout'], requests['timeout'])
             self.assertEqual(self.redmine.engine.requests['cert'], requests['cert'])