http — url secret

Use of HTTP Request Method With Sensitive Query Strings

The inclusion of sensitive information, such as a username, password, or API key, directly within a URL is considered a security risk because URLs can be logged in various places, such as web server logs, browser history, and network monitoring tools, making the sensitive information vulnerable to unauthorized access.

Example

import http.client


host = "example.com"
conn = http.client.HTTPSConnection(host)
conn.request(
    "GET", "/path?apiKey=value&otherParam=123", headers={"Host": host}
)
response = conn.getresponse()

Example Output

> precli tests/unit/rules/python/stdlib/http/examples/http_url_secret_apikey.py
⛔️ Error on line 7 in tests/unit/rules/python/stdlib/http/examples/http_url_secret_apikey.py
PY007: Use of GET Request Method With Sensitive Query Strings
Secrets in URLs are vulnerable to unauthorized access.

Remediation

To avoid this vulnerability, put sensitive information in the request as headers, rather than a parameter of the URL.

import http.client


host = "example.com"
headers = {
    "Host": host,
    "X-FullContact-APIKey": "value"
}
conn = http.client.HTTPSConnection(host)
conn.request("GET", "/path?otherParam=123", headers=headers)
response = conn.getresponse()

Default Configuration

enabled = true
level = "error"
sensitive_params = [
  "apiKey",
  "pass",
  "password",
  "user",
  "username",
]

See also

Info

• http.client — HTTP protocol client
• CWE-598: Use of GET Request Method With Sensitive Query Strings
• Never Put Secrets in URLs and Query Parameters

New in version 0.3.4