458

Do querystring parameters get encrypted in HTTPS when sent with a request?

jnm2
  • 7,960
  • 5
  • 61
  • 99
Deep
  • 5,772
  • 2
  • 26
  • 36

4 Answers4

542

Yes. The querystring is also encrypted with SSL. Nevertheless, as this article shows, it isn't a good idea to put sensitive information in the URL. For example:

URLs are stored in web server logs - typically the whole URL of each request is stored in a server log. This means that any sensitive data in the URL (e.g. a password) is being saved in clear text on the server

Joe Ratzer
  • 18,176
  • 3
  • 37
  • 51
  • 58
    So that does mean that, when DigitalOcean, Google or others ask you to put your API key in the query parameter, anyone who can have a read-only access to the logs can forge your ID? Say if anyone at Loggly leaks any info, lots of services would be compromised? – Adrien Jan 26 '14 at 15:53
  • 27
    The API key is a short-lived token, typically valid for either one hour or one month (for oauth and similar services) - but if there were a breach of that magnitude, they'd just invalidate ALL outstanding tokens. Everyone has to re-authenticate, using their (presumably) still secure passwords. – David Souther Mar 02 '14 at 19:56
  • 1
    FYI for Rails users... query strings are filtered in addition to POST params when you specify `config.filter_parameters` http://stackoverflow.com/questions/2062405/filtering-parts-or-all-of-request-url-from-rails-logs – colllin Jun 30 '14 at 06:08
  • 9
    Putting sensitive data is not really a problem if the data are disposable (e.g. a one-time token) – Matthieu Charbonnier Jul 20 '17 at 13:57
  • 20
    @MatthieuCharbonnier that's a bold statement. Can you give me access to your bank for 30 minutes? – EralpB Feb 17 '18 at 00:50
  • 27
    @EralpB No, and i think you have misunderstood my statement. But I can give you my confirmation code which i've already used and is now obsolete and useless. – Matthieu Charbonnier Feb 18 '18 at 08:33
  • none of the log and query string is not problem. that accessing level must be protect at different security level. furthermore, don't save full url in log!! ;) – S.M.Mousavi Dec 11 '21 at 15:41
  • Also something to add: The querystring parameters are saved as cleartext in your bookmarks if you bookmark it on the browser. Or, some browser extensions ask for permission to get the address you're connecting to, but they don't inspect the request "body", therefore extensions might read sensitive information if included in querystring parameters rather than post body or http headers. – eaydin Aug 09 '22 at 08:59
152

remember, SSL/TLS operates at the Transport Layer, so all the crypto goo happens under the application-layer HTTP stuff.

http://en.wikipedia.org/wiki/File:IP_stack_connections.svg

that's the long way of saying, "Yes!"

Michael Howard-MSFT
  • 3,232
  • 2
  • 16
  • 11
67

The entire transmission, including the query string, the whole URL, and even the type of request (GET, POST, etc.) is encrypted when using HTTPS.

Marcelo Cantos
  • 181,030
  • 38
  • 327
  • 365
  • 51
    **Careful!** Even if the whole URL is encrypted, the host name can be seen during the initial SSL handshake just before the encrypted transmission! – Matthieu Charbonnier Jul 20 '17 at 14:05
  • 1
    @MatthieuCharbonnier is it valid for post body and headers too? – Must.Tek Mar 12 '20 at 14:31
  • 2
    @Must.Tek I know it's a late reply but for anybody reading this later on: No, Post Body and Headers are fully encrypted and they cannot be seen during the initial SSL/TLS handshake. That's why usually Authorization are passed as Headers (Bearer token etc.) in HTTPS connections. – eaydin Aug 09 '22 at 08:55
7

I disagree with the advice given here - even the reference for the accepted answer concludes:

You can of course use query string parameters with HTTPS, but don’t use them for anything that could present a security problem. For example, you could safely use them to identity part numbers or types of display like ‘accountview’ or ‘printpage’, but don’t use them for passwords, credit card numbers or other pieces of information that should not be publicly available.

So, no they aren't really safe...!

Steve Winter
  • 223
  • 2
  • 1
  • 80
    All of the answers agree on how safe they are, and the question wasn't about whether they're "safe". It was whether GET parameters are encrypted in HTTPS. Which is answered, along with caveats that you quote. I don't know what your answer is trying to add here in relation to the question, as it's vague and derivative. – Rob Grant Jul 16 '15 at 13:03