Hey Hedley, thanks for the kind words. Exactly, it’s only okay if everything is in your control and behind HTTPS.

That said, after having this in production for a while, the biggest point we have is services and people occasionally leaking the query URLs that definitely happen much less when using headers. For example, our error reporting service somehow manages to capture the full URL if the error happened while dealing with an AJAX request, also had a colleague paste a screenshot with the URL in chat while debugging an issue.

Don’t feel too good about that, currently testing a transparent nginx proxy on our heroku setup, hope to post a follow up this week :)