Q&A
Last updated
Was this helpful?
Last updated
Was this helpful?
Passing sensitive or personal information as query parameters is generally considered a problem, as it is revealed in many ways that POST data isn't. See for instance the similar question "" OWASP has a short description of the problem: .
The main problems are generally considered to be
Bookmarks and browser history if someone has access to the browser
Access logs at the intended recipient of the query (or any proxies between you and the recipient)
That the query parameters are included in the "referer" header sent to other servers.
What makes this case particularly interesting is that the information in question is actually a signed ID token. It can conceivably be used to authenticate the users at other service providers (though this requires a broken implementation at a service provider, a type of problem).
Including ID tokens in this manner is actually encouraged by the OpenID Connect standard, as the . It can be POSTed, but most implementations (few as they are) that I have seen, use query parameters. So having the developers of your service change this could be challenging.Changed
Introduced animals into the world, we believe they're going to be a neat addition.