8.3.1 HTTP Query string parameters do not contain sensitive data

Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data.

Level 1 X
Level 2 X
Level 3 X
CWE NIST
319  

General

Sending sensitive data (like Personable Identifiable Information, Credit Card numbers, passwords / tokens) in the URL will lead to them being available in the browser history and in the logs by the application server and any potential intermediaries (proxies).