Should sensitive data ever be passed in the query string?
Should sensitive data ever be passed via the query string as opposed to the POST request? I realize that the query string will be encrypted, but are there other reasons to avoid passing data in the query string, such as shoulder surfing?
Re: the SO question you linked to: yes, the URL is encrypted, but a man-in-the-middle can often still tell what website you are visiting based on the IP (and other metrics, such as amount of data transferred). If you have SNI enabled (your browser probably does), the domain is actually sent in plain text before upgrading to SSL.
@TomMarthenal But the pertinent part (for this question) is that the *query string* is encrypted during transmission.
- The URL will be displayed. Shoulder surfers may see it and learn things from that (e.g. a password).
- The user may bookmark it. This can be a feature; but it also means that the data gets written on the disk.
- Similarly, the URL will make it to the "history" so it will be written to disk anyway; and it might be retrieved afterwards. For instance, if the browser is Chrome, then a lunch-time attacker just has to type Ctrl+H to open the "history tab" and obtain all the query strings.
- If page is printed, the URL will be printed, including any sensitive information.
- URLs including query strings are also frequently logged on the web server, and those logs may not be secured appropriately.
- There are size limitations on the query string, which depend on the browser and the server (there is nothing really standard here, but expect trouble beyond about 4 kB).
Therefore, if the query string is a simple link target in an HTML page, then sensitive data should be transmitted as part of a POST form, not encoded in the URL itself. With programmatic downloads (the AJAX way), this is much less of an issue.
You can also add that if bookmarks are synchronized across devices, the sensitive information goes along.
URLs with qstrings are also frequently logged on the web server, and those logs may not have the best security applied.
Transmitting sensitive data in forms isn't a silver bullet either, in the event you have a XSS flaw anywhere in your site that can reach that form.