---
title: Do Not Pass Sensitive Data In Query String
impact: HIGH
impactDescription: prevents credential leakage in logs and history
tags: url, query-string, sensitive-data, leakage, security
---

## Do Not Pass Sensitive Data In Query String

Query strings appear in logs, browser history, referrer headers, and can be cached. Avoid passing tokens, passwords, or PII in URLs.

**Incorrect (sensitive data in URL):**

```ruby
# Tokens/Passwords in GET params
get "/login?user=admin&token=#{access_token}"
```

**Correct (sensitive data in body or headers):**

```ruby
# Use POST with Request Body
post "/login", params: { user: "admin", token: access_token }

# Pass tokens in Authorization Header
headers = { 'Authorization' => "Bearer #{access_token}" }
response = RestClient.get("https://api.example.com", headers)
```

**Where query strings leak:**
- Server access logs (nginx, Apache, Rails logs)
- Browser history
- Referrer headers
- Proxy/CDN logs

**Tools:** Brakeman, Manual Review
---