DEV Community

Tanya Janca for Microsoft Azure

Posted on • Updated on

Pushing Left, Like a Boss — Part 5.7 — URL Parameters

This series, and my blog, have moved! Check it out!

Never put information in the parameters in the URL of your application that are important. When I say “important”, I mean something that would potentially be used to make a decision in your application that is not trivial. The same goes for hidden fields, don’t store or pass anything valuable there either. Important information must be transmitted in a secure manner, and hidden fields and URL parameters are not the place for that.

Risks of putting sensitive information in the URL include; sensitive data being cached, sensitive data exposed in the case of a man-in-the-middle attack, or an attacker potentially injecting their own values.

Examples of things that should not be in URL parameters:

  • User IDs (for a user logging into a system, not when it is used to bookmark a public page, and nothing more. Book marks on public pages are not sensitive.)
  • Account numbers
  • SIN Numbers
  • Dates of birth and other combinations of information that could possibly be used to impersonate someone
  • Home address
  • Query or search information
  • Personal Identifiable Information (PII)
  • A token or session ID

Franziska Bühler and I at the Open Security Summit, 2018

Franziska Bühler and I at the Open Security Summit, 2018

Read the rest on my NEW blog!!

Discussion (0)