DEV Community 👩‍💻👨‍💻

Tanya Janca for Microsoft Azure

Posted on • Updated on

Pushing Left, Like a Boss — Part 5.7 — URL Parameters

This series, and my blog, have moved! Check it out!

Never put information in the parameters in the URL of your application that are important. When I say “important”, I mean something that would potentially be used to make a decision in your application that is not trivial. The same goes for hidden fields, don’t store or pass anything valuable there either. Important information must be transmitted in a secure manner, and hidden fields and URL parameters are not the place for that.

Risks of putting sensitive information in the URL include; sensitive data being cached, sensitive data exposed in the case of a man-in-the-middle attack, or an attacker potentially injecting their own values.

Examples of things that should not be in URL parameters:

  • User IDs (for a user logging into a system, not when it is used to bookmark a public page, and nothing more. Book marks on public pages are not sensitive.)
  • Account numbers
  • SIN Numbers
  • Dates of birth and other combinations of information that could possibly be used to impersonate someone
  • Home address
  • Query or search information
  • Personal Identifiable Information (PII)
  • A token or session ID

Franziska Bühler and I at the Open Security Summit, 2018

Franziska Bühler and I at the Open Security Summit, 2018

Read the rest on my NEW blog!!

Top comments (0)

Timeless DEV post...

How to write a kickass README

Arguably the single most important piece of documentation for any open source project is the README. A good README not only informs people what the project does and who it is for but also how they use and contribute to it.

If you write a README without sufficient explanation of what your project does or how people can use it then it pretty much defeats the purpose of being open source as other developers are less likely to engage with or contribute towards it.