{
  "id": "S016",
  "name": "Do not pass sensitive data via query string",
  "category": "security",
  "description": "S016 - Do not pass sensitive data (e.g. password, token, secret, apiKey, etc.) via query string in URLs. This can lead to exposure in logs, browser history, and network traces",
  "severity": "error",
  "enabled": true,
  "semantic": {
    "enabled": true,
    "priority": "high",
    "fallback": "heuristic"
  },
  "patterns": {
    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
    "exclude": [
      "**/*.test.js",
      "**/*.test.ts",
      "**/*.spec.js",
      "**/*.spec.ts",
      "**/node_modules/**",
      "**/dist/**",
      "**/build/**"
    ]
  },
  "analysis": {
    "approach": "symbol-based-primary",
    "fallback": "regex-based",
    "depth": 2,
    "timeout": 5000
  },
  "validation": {
    "urlPatterns": [
      "new URL",
      "URLSearchParams",
      "fetch",
      "axios",
      "request",
      "location.href",
      "location.search",
      "querystring.stringify",
      "qs.stringify"
    ],
    "sensitivePatterns": [
      "password",
      "passwd",
      "pwd",
      "pass",
      "token",
      "jwt",
      "accesstoken",
      "refreshtoken",
      "bearertoken",
      "secret",
      "secretkey",
      "clientsecret",
      "serversecret",
      "apikey",
      "api_key",
      "key",
      "privatekey",
      "publickey",
      "auth",
      "authorization",
      "authenticate",
      "sessionid",
      "session_id",
      "jsessionid",
      "csrf",
      "csrftoken",
      "xsrf",
      "ssn",
      "social",
      "socialsecurity",
      "creditcard",
      "cardnumber",
      "cardnum",
      "ccnumber",
      "cvv",
      "cvc",
      "cvd",
      "cid",
      "pin",
      "pincode",
      "bankaccount",
      "routing",
      "iban",
      "email",
      "emailaddress",
      "mail",
      "phone",
      "phonenumber",
      "mobile",
      "tel",
      "address",
      "homeaddress",
      "zipcode",
      "postal",
      "birthdate",
      "birthday",
      "dob",
      "license",
      "passport",
      "identity",
      "salary",
      "income",
      "wage",
      "medical",
      "health",
      "diagnosis"
    ],
    "httpClientPatterns": [
      "fetch",
      "axios.get",
      "axios.post",
      "axios.put",
      "axios.delete",
      "axios.patch",
      "axios.request",
      "request.get",
      "request.post",
      "http.get",
      "http.request",
      "https.get",
      "https.request"
    ]
  }
}