Never Send Sensitive Information in the URL, Even Over HTTPS


There is some confusion about how secure it is to send sensitive information in the URL (or query string) when the connection is over HTTPS.

Here are some basic things to note on this:

  • It’s true that everything in the HTTP request is encrypted, including the URL (query string)

  • The fact that the URL is encrypted in transit doesn’t make it ok to put sensitive data in it, e.g. tokens, identification numbers, PII, etc.

Here are three reasons this is still bad practice:

  1. URLs are often logged by the server side, and who knows where those logs are going to end up

  2. URLs are often sent as referer headers

  3. Browsers log and store URLs

So it’s not just a matter of encryption in transit. Remember that URLs are a special part of web technologies, and they’re logged and passed around in numerous ways in the course of regular operation.

This can lead to data leakage of whatever is stored in those URLs, including things like:

  • user data (name, address, DOB, SSN/NationalID)

  • sensitive tokens

  • anything else that you don’t want logged and stored

Think of the URL as going into the ether, to be logged, stored, sent off to who-knows-where. And it won’t help you at all if those values were sent originally over a secure connection.

Related posts: