Query parameters were passed over SSL, and may contain sensitive information

Question

I am being forced to deal with IBM AppScan results. This one is giving me head aches. I am getting the following flag from AppScan on the following executed statement (and others just like it).

Flag: Query parameters were passed over SSL, and may contain sensitive information Source: https://.../bundles/jqueryval?v=(version)

The root of it all seems to be Bundling and Minification.

My RegisterBundles looks like this:

public static void RegisterBundles(BundleCollection bundles)
{
    bundles.Add(new ScriptBundle("~/bundles/jquery").Include(
                       "~/Scripts/jquery-{version}.js"));
...
}

And my _Layout.cshtml calls it like this:

<head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>CD Renewal - @ViewBag.Title</title>
   @Styles.Render("~/Content/css")
   @Scripts.Render("~/bundles/jquery")
   @Scripts.Render("~/bundles/jqueryval")
   @Scripts.Render("~/bundles/modernizr")
   @Scripts.Render("~/bundles/bootstrap")
</head>

Any idea on how I can make bundling pass the version param (v) in the body as a post and not a query string?

Answer 1

After going to great lengths to talk with Microsoft Support about this, here is the abridged answer I received from them:

"It is a by-design behavior that the query string will get added to the URL as a “caching buster” so that the client doesn’t cache older versions.

Moreover, the query string is ignored completely at the server side and it is not vulnerable to any attacks." - Microsoft Premium Support