---
title: Do Not Pass Sensitive Data In Query String
impact: HIGH
impactDescription: prevents sensitive information leakage in logs, browser history, and diagnostic tools
tags: url, query-string, sensitive-data, leakage, security, php
---

## Do Not Pass Sensitive Data In Query String

URL query strings are stored in browser history, web server access logs, proxy/CDN logs, and are passed in the `Referer` header to external sites. Sensitive information like tokens, passwords, or PII (Personally Identifiable Information) in a URL is practically public.

**Incorrect (sensitive data in URL):**

```php
// Passing token in GET parameter
$response = file_get_contents("https://api.example.com/data?api_key=" . $apiKey);

// Login via GET (Very Dangerous)
// GET /login.php?user=admin&password=secret123

// Passing sensitive PII
// GET /user/details?ssn=123-45-678
```

**Correct (sensitive data in Headers or Request Body):**

```php
// 1. Passing tokens in Authorization Header
$context = stream_context_create([
    'http' => [
        'header' => "Authorization: Bearer " . $accessToken
    ]
]);
$response = file_get_contents("https://api.example.com/data", false, $context);

// 2. Sensitive data in POST Request Body
// (Using Guzzle for clarity)
$client->post('/login', [
    'form_params' => [
        'user' => 'admin',
        'password' => $password
    ]
]);

// 3. One-time tokens in POST forms
?>
<form action="/reset-password" method="POST">
    <input type="hidden" name="token" value="<?php echo htmlspecialchars($secureToken); ?>">
    <input type="password" name="new_password">
    <button type="submit">Reset</button>
</form>
<?php
```

**Where query strings leak:**
- **Web Server Logs**: Apache/Nginx logs store the full URL including query strings.
- **Browser History**: Users can see sensitive tokens in their history.
- **Referer Header**: If a page with a token in the URL links to an external image or site, that site receives the token.
- **Proxy/WAF logs**: Intermediate network devices log URLs.

**Tools:** Semgrep, SonarQube, Manual Review, OWASP ZAP (to detect sensitive data in URLs)