8.3.1 HTTP Query string parameters do not contain sensitive data¶
Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data.
| Level 1 | X |
| Level 2 | X |
| Level 3 | X |
| CWE | NIST |
|---|---|
| 319 |
General¶
Sending sensitive data (like Personable Identifiable Information, Credit Card numbers, passwords / tokens) in the URL will lead to them being available in the browser history and in the logs by the application server and any potential intermediaries (proxies).