Sending sensitive data as a query string parameter

Question

Sending sensitive data as a query string parameter

We are considering a system design. And you need to check what, in our opinion, can be a security problem.

On this system, some sensitive information is sent to the query string. Question:

Is it possible to read the parameters of the query string, because the request goes through the Internet, even if the request is sent via https?
Can I read query string parameters from browsing history on client machines?

+3

query-string ssl https http-get

Shiraz bhaiji 01 Oct '10 at 9:36

source share

3 answers

This is certainly a security issue if sensitive data is passed in the get request. Sensitive data will not only be cached in the user browser, but also in any proxy server, as well as in the web server logs

0

Jatin Feb 13 '13 at 9:52

source share

Yes for the first. Not sure if the second one is browser dependent, I think - but I suspect yes, here too.

-one

Raghuram 01 Oct '10 at 9:42

source share

Bruno · Accepted Answer · 2010-10-01T14:32:22+0000

When you use HTTPS, the SSL / TLS connection is established before any HTTP traffic is sent, so the entire request (including the URL and its parameters) will be encrypted and will not be readable. The only thing that is visible to a third party is the server certificate (so that they can see the host name, but that's it).

The browsing history is in no way protected by HTTPS, although some browsers may have some “safe browsing” options that could remove some HTTPS URLs automatically. Ultimately, it depends on the browser and its configuration.

Sending sensitive data as a query string parameter

More articles: