DEV Community

loading...
Microsoft Azure

Pushing Left, Like a Boss — Part 5.7 — URL Parameters

shehackspurple profile image Tanya Janca Updated on ・1 min read

This series, and my blog, have moved! Check it out!

Never put information in the parameters in the URL of your application that are important. When I say “important”, I mean something that would potentially be used to make a decision in your application that is not trivial. The same goes for hidden fields, don’t store or pass anything valuable there either. Important information must be transmitted in a secure manner, and hidden fields and URL parameters are not the place for that.

Risks of putting sensitive information in the URL include; sensitive data being cached, sensitive data exposed in the case of a man-in-the-middle attack, or an attacker potentially injecting their own values.

Examples of things that should not be in URL parameters:

  • User IDs (for a user logging into a system, not when it is used to bookmark a public page, and nothing more. Book marks on public pages are not sensitive.)
  • Account numbers
  • SIN Numbers
  • Dates of birth and other combinations of information that could possibly be used to impersonate someone
  • Home address
  • Query or search information
  • Personal Identifiable Information (PII)
  • A token or session ID

Franziska Bühler and I at the Open Security Summit, 2018

Franziska Bühler and I at the Open Security Summit, 2018

Read the rest on my NEW blog!!

Discussion (0)

Forem Open with the Forem app