-1

If I need to make get request to an html page and thus pass a secret via the url using https, is it true that I'd need to pass it in a query string versus a part of a path url?

my_domain.com/some_url/my_secret123 --> bad
my_domain.com/some_url?secret=my_secret123 --> good

Based on the fact that in https a query string doesn't appear in logs, whereas the url itself, including all its "/" parts - does.

jerry
  • 365
  • 3
  • 4
  • 1
    HTTPS (TLS) protects the whole url, including the query string, so it doesn’t matter. In what logs does the url appear? If it’s the servers (as I suspect you meant) then I don’t see how it can be any different. And even if the query string isn’t logged in some logs it may be in others depending on the specific server-side application. You can’t keep your request secret from the server, but you can from snoopers along the way, by using TLS. – korrigan Mar 14 '18 at 02:51
  • *"Based on the fact that in https a query string doesn't appear in logs,..."* - It might be a fact in your specific environment but it is not a fact in general. In fact it is common to log the full URL which includes the query string. And, if this is the case in your environment and you don't want the secret get logged then it should be obvious that you want to put the secret in the part which does not get logged. In this case it is not clear for me what your question actually is. – Steffen Ullrich Mar 16 '18 at 07:56
  • This doesn't look like a dupe to me - at least not of the supposed Q. The question does make false assumptions and is unclear, thus I'm still voting to close it. – Tobi Nary Mar 27 '18 at 11:28

1 Answers1

0

There isn't any difference between putting the secret in the path or in the query string. Using HTTPS means that both of them will be encrypted.

But you should never transmit secrets in URLs: they tend to be leaked in your server logs, in HTTP referers, etc.

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65