Q&A

Passing sensitive or personal information as query parameters is generally considered a problem, as it is revealed in many ways that POST data isn't. See for instance the similar question "" OWASP has a short description of the problem: .
The main problems are generally considered to be
- Bookmarks and browser history if someone has access to the browser
- Access logs at the intended recipient of the query (or any proxies between you and the recipient)
- That the query parameters are included in the "referer" header sent to other servers.
What makes this case particularly interesting is that the information in question is actually a signed ID token. It can conceivably be used to authenticate the users at other service providers (though this requires a broken implementation at a service provider, a type of problem).
Including ID tokens in this manner is actually encouraged by the OpenID Connect standard, as the . It can be POSTed, but most implementations (few as they are) that I have seen, use query parameters. So having the developers of your service change this could be challenging.Changed

14.0.0 - 2042-10-06

Introduced animals into the world, we believe they're going to be a neat addition.

Last updated 6 years ago

Was this helpful?