Should sensitive data ever be passed in the query string?

  • Should sensitive data ever be passed via the query string as opposed to the POST request? I realize that the query string will be encrypted, but are there other reasons to avoid passing data in the query string, such as shoulder surfing?

    Re: the SO question you linked to: yes, the URL is encrypted, but a man-in-the-middle can often still tell what website you are visiting based on the IP (and other metrics, such as amount of data transferred). If you have SNI enabled (your browser probably does), the domain is actually sent in plain text before upgrading to SSL.

    @TomMarthenal But the pertinent part (for this question) is that the *query string* is encrypted during transmission.

    agreed, just wanted to throw that out there for anybody else reading.

  • If the query string is the target of a user-clickable link (as opposed to a URL used from some Javascript), then it will appear in the URL bar of the browser when the corresponding page is loaded. It has the following issues:

    • The URL will be displayed. Shoulder surfers may see it and learn things from that (e.g. a password).
    • The user may bookmark it. This can be a feature; but it also means that the data gets written on the disk.
    • Similarly, the URL will make it to the "history" so it will be written to disk anyway; and it might be retrieved afterwards. For instance, if the browser is Chrome, then a lunch-time attacker just has to type Ctrl+H to open the "history tab" and obtain all the query strings.
    • If page is printed, the URL will be printed, including any sensitive information.
    • URLs including query strings are also frequently logged on the web server, and those logs may not be secured appropriately.
    • There are size limitations on the query string, which depend on the browser and the server (there is nothing really standard here, but expect trouble beyond about 4 kB).

    Therefore, if the query string is a simple link target in an HTML page, then sensitive data should be transmitted as part of a POST form, not encoded in the URL itself. With programmatic downloads (the AJAX way), this is much less of an issue.

    also the URL will be printed out if the user goes to print that page.

    You can also add that if bookmarks are synchronized across devices, the sensitive information goes along.

    Thanks for the excellent answer. I appreciate the explanation of the risks!

    URLs with qstrings are also frequently logged on the web server, and those logs may not have the best security applied.

    Transmitting sensitive data in forms isn't a silver bullet either, in the event you have a XSS flaw anywhere in your site that can reach that form.

    All the issues are very well summarized. Thanks for this.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM