Is it secure to pass sensitive information (like unique ids such as user ids) in the HTTPS REST GET URL?
Asked
Active
Viewed 541 times
-1
-
Depending on what you can do with that id... Otherwise seems like that's ok. – tvgemert Jun 12 '15 at 07:33
-
http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secure-than-the-other – Yagnesh Dobariya Jun 12 '15 at 07:34
-
It's generally a bad idea to put sensitive data in URLs as it is likely to get stored in places like logs, history, and referrers. But are user IDs *really* sensitive? It will depend on the application, but not typically. – bobince Jun 12 '15 at 17:07
-
Is this a url you will visit in the browser (returns html), or is it an API? The latter avoids some risks (history, referrer, accidental copy&paste). But like bobince said, ids being secret is rather unusual. It is a valid security model (capability based), but you'll need to see if it fits your application. – CodesInChaos Jun 14 '15 at 09:26
1 Answers
0
Presence of unique resource identifiers is important for apis to be restful. I don't think, passing user identifier in url is much of a big concern, especially when you are using https. If you are using uuid's (which prevent random guessing) then it no problem at all. Still, avoid using incremental ids which are common in sql databases, it would be better if you can encode them using base64 etc.
hspandher
- 15,934
- 2
- 32
- 45