Use of HTTP Request Method With Sensitive Query Strings

The inclusion of sensitive information, such as a username, password, or API key, directly within a URL is considered a security risk because URLs can be logged in various places, such as web server logs, browser history, and network monitoring tools, making the sensitive information vulnerable to unauthorized access.

Example

import http.client


host = "example.com"
conn = http.client.HTTPSConnection(host)
conn.request("GET", "/path?apiKey=value&otherParam=123", headers={})
response = conn.getresponse()

Remediation

To avoid this vulnerability, put sensitive information in the request as headers, rather than a parameter of the URL.

import http.client


host = "example.com"
headers = {
    "X-FullContact-APIKey": "value"
}
conn = http.client.HTTPSConnection(host)
conn.request("GET", "/path?otherParam=123", headers=headers)
response = conn.getresponse()

See also

• http.client — HTTP protocol client
• CWE-598: Use of GET Request Method With Sensitive Query Strings
• Never Put Secrets in URLs and Query Parameters

New in version 0.3.4