Reputation: 65391
Sending sensitive data as a query string parameter
We are reviewing the design of a system. And need to verify what we think may be a security issue.
In this system some sensitive information is sent in the query string. Question is:
- Can the query string parameters be read as the request goes over the internet, even if the request is sent over https?
- Can the query string parameters be read be read from the browsing history on the client machines?
Upvotes: 4
Views: 3568
Answers (3)
Reputation: 1
This is certainly a security issue if sensitive details are being passed in get request. Sensitive data will not only get cached in the user's browser but also in any proxy on d way and plus in webserver logs
Upvotes: 0
Reputation: 122649
When you use HTTPS, the SSL/TLS connection is established before any HTTP traffic is sent, thus the whole request (including the URL and its parameters) will be encrypted and won't be readable. The only thing that's possibly visible by a third party is the server certificate (so they could see the host name, but that's it).
The browser's history isn't protected in any way by HTTPS as such, although some browsers may have some "safe browsing" options which would delete some HTTPS URLs automatically perhaps. This one ultimately really depends on the browser and its configuration.
Upvotes: 10
Reputation: 52645
Yes for the first. Not sure about the second - depends on the browser, I guess - but I suspect, Yes, here as well.
Upvotes: -1
Related Questions
- Is a HTTPS query string secure?
- how to pass encrypted query string in asp.net
- Sending Personal Information in GET String
- How to pass parameters in https GET request for (Shopware) Rest API
- Encode URL parameter values for sensitive content?
- Query Parameter in SSL Request
- Security implications of posting an HTTPS GET request with sensitive data
- Pass GET parameters in query-string
- Passing GET variables over SSL = secured?
- How secure is sending sensitive data over https?