Is a HTTPS query string secure?

by

Yes, it is. But using GET for sensitive data is a bad idea for several reasons:

  • Mostly HTTP referrer leakage (an external image in the target page might leak the password[1])
  • Password will be stored in server logs (which is obviously bad)
  • History caches in browsers

Therefore, even though Querystring is secured it’s not recommended to transfer sensitive data over querystring.

[1] Although I need to note that RFC states that browser should not send referrers from HTTPS to HTTP. But that doesn’t mean a bad 3rd party browser toolbar or an external image/flash from an HTTPS site won’t leak it.

More Related Contents:

  1. Are HTTPS URLs encrypted?
  2. node.js, socket.io with SSL
  3. How to do a https request with bad certificate?
  4. How do I restore a missing IIS Express SSL Certificate?
  5. Can you use a service worker with a self-signed certificate?
  6. Enabling SSL with XAMPP
  7. Insecure content in iframe on secure page
  8. Webpack Dev Server running on HTTPS/Web Sockets Secure
  9. SSL Certificate add failed when binding to port
  10. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  11. How to get .pem file from .key and .crt files?
  12. Installation SSL in wamp server: Error in httpd-ssl.conf
  13. How to handle invalid SSL certificates with Apache HttpClient? [duplicate]
  14. Invalid self signed SSL cert – “Subject Alternative Name Missing”
  15. NGINX to reverse proxy websockets AND enable SSL (wss://)?
  16. “verify error:num=20” when connecting to gateway.sandbox.push.apple.com
  17. How to get SSL certificate info with CURL in PHP?
  18. Simple Java HTTPS server
  19. Does Android Volley support SSL?
  20. SSLHandshakeException: No subject alternative names present
  21. Max memory usage of a chrome process (tab) & how do I increase it?
  22. SSL Multilevel Subdomain Wildcard
  23. Amazon S3 – HTTPS/SSL – Is it possible? [closed]
  24. CNAME SSL certificates
  25. NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) iOS
  26. How to Get SSL Certificate to Work With Localhost on Firefox
  27. OpenSSL: unable to verify the first certificate for Experian URL
  28. Switching between HTTP and HTTPS pages with secure session-cookie
  29. cURL requires CURLOPT_SSL_VERIFYPEER=FALSE
  30. How do I use a self signed certificate for a HTTPS Node.js server?

Leave a Comment