This series, and my blog, have moved! Check it out!
Never put information in the parameters in the URL of your application that are important. When I say “important”, I mean something that would potentially be used to make a decision in your application that is not trivial. The same goes for hidden fields, don’t store or pass anything valuable there either. Important information must be transmitted in a secure manner, and hidden fields and URL parameters are not the place for that.
Risks of putting sensitive information in the URL include; sensitive data being cached, sensitive data exposed in the case of a man-in-the-middle attack, or an attacker potentially injecting their own values.
Examples of things that should not be in URL parameters:
- User IDs (for a user logging into a system, not when it is used to bookmark a public page, and nothing more. Book marks on public pages are not sensitive.)
- Account numbers
- SIN Numbers
- Dates of birth and other combinations of information that could possibly be used to impersonate someone
- Home address
- Query or search information
- Personal Identifiable Information (PII)
- A token or session ID