0

As this answer suggests, it isn't a good idea to have sensitive information in a URL string. Even though it will be encrypted if you use SSL, it will be stored in a server log in clear text.

How then should GET arguments be passed to a web server securely?

Community
  • 1
  • 1
CJ7
  • 22,579
  • 65
  • 193
  • 321
  • 1
    POST parameters aren't in the URL. What's your question? – bmargulies Oct 23 '12 at 00:15
  • Also, querystring will not be encrypted if you use SSL. – ChrisBint Oct 23 '12 at 00:16
  • 1
    @ChrisBint Please read [Are querystring parameters secure in HTTPS (HTTP + SSL)?](http://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl). – Erik Philips Oct 23 '12 at 00:25
  • @bmargulies: my mistake, question edited. – CJ7 Oct 23 '12 at 00:29
  • 1
    @ChrisBint, [the query string *will* be encrypted when using HTTPS](http://stackoverflow.com/a/8858241/372643). – Bruno Oct 23 '12 at 02:26
  • Apologies, what I meant is that although the communication is sent encrypted, the (visible in logs and history) querystring does not get modified (encrypted). – ChrisBint Oct 23 '12 at 07:00

1 Answers1

3

You are confusing GET with POST data. That answer talks about the query string, that is the arguments in the url, which are passed by GET, you shouldn't pass sensitive data on them, instead pass it in POST fields and Http-Headers.

Community
  • 1
  • 1
Nelson
  • 49,283
  • 8
  • 68
  • 81
  • [Post](http://en.wikipedia.org/wiki/POST_(HTTP)) and [Http-Headers](http://stackoverflow.com/questions/3561381/custom-http-headers-naming-conventions) are the recommended way to to send data through SSL/TLS Securely. – Erik Philips Oct 23 '12 at 00:28
  • @ErikPhilips I've edited my answer to complete with your http-headers suggestion and make some links. thanks! :-) – Nelson Oct 23 '12 at 00:38