Always assume URLs are public and NOT secure

Never design your web APIs such that a sensitive field like an auth token is a part of the URL. URLs should never contain sensitive information within them, they should be viewed as a public piece of information. Why?

  1. The URL will be displayed in the browser. Anyone walking by will see the sensitive information.
  2. The URL is saved to browser history and can be bookmarked. Now any other users of the machine have access to the sensitive info.
  3. A user can share their URL with others without realizing there is sensitive info embedded it. Again, this is your fault, because the contract you should have with your users (and their browsers) is that all your URLs should not contain sensitive info.
  4. The URL can appear in the logs of other websites as part of the referrer header. You’ve just exposed secure info to other parties.
  5. A browser extension can log all the URLs your users visit. Some of these will definitely be selling this data to others. A startup called FullContact had this exact issue: https://www.fullcontact.com/blog/never-put-secrets-urls-query-parameters/
  6. The URL visited will be in your server logs. You’ve added a new vector for hackers to exploit.

So for a GET request, what are your options to where you should send sensitive info like an auth token? You can’t put it in the URL, you can’t put it in the body (violates the spec for GET), so it makes to always put sensitive info in the HTTP headers.

For more reading:
https://stackoverflow.com/questions/323200/is-an-https-query-string-secure
https://security.stackexchange.com/questions/29598/should-sensitive-data-ever-be-passed-in-the-query-string