HTTPS URL Parameters: Are They Safe?

TL;DR

URL parameters in both GET and POST requests are encrypted when using HTTPS. However, they can still be visible in server logs, browser history, and potentially intermediate proxies. Sensitive data shouldn’t be passed via URL parameters – use the request body for that instead.

Understanding the Issue

HTTPS (Hypertext Transfer Protocol Secure) encrypts the communication between your browser and a website’s server. This means anyone intercepting the traffic sees scrambled data, not plain text. But how does this affect URL parameters?

1. How GET and POST Requests Work

• GET requests append parameters to the URL itself (e.g., https://example.com/search?query=test).
• POST requests send parameters in the request body, hidden from direct view in the URL.

2. HTTPS Encryption

HTTPS encrypts both the URL and the request body. This protects the data in transit.

3. Where Data Can Still Be Visible

• Server Logs: Web servers often log full URLs, including parameters.
• Browser History: Your browser stores visited URLs in its history.
• Proxies and Intermediaries: Any proxy server between your browser and the website might log the URL.
• Referrer Header: The Referrer header can sometimes include the full URL, passing parameters to other sites.

4. Securing Sensitive Data

Even with HTTPS, avoid putting sensitive information (passwords, credit card details, personal data) in URL parameters.

1. Use POST requests for sensitive data: The request body is less likely to be logged directly.
2. Encrypt the Data Before Sending: If you absolutely must use a parameter, encrypt it client-side before sending and decrypt on the server. This adds another layer of protection but requires careful key management.
3. Shorten Parameter Lifespans: Use short-lived tokens instead of long-term sensitive data in URLs.

5. Example: Sending Data via POST (Recommended)

Using a tool like curl, you can send data in the request body:

curl -X POST 
  https://example.com/submit 
  -H 'Content-Type: application/json' 
  -d '{"username": "myuser", "password": "mypassword"}'

6. Example: Server-Side Logging (Demonstrates the Risk)

A simple PHP example showing URL parameter logging:

This will log the entire URL, including any GET parameters.

7. Mitigating Referrer Header Leaks

• Use rel="noreferrer" on links: This prevents the Referrer header from being sent when following a link.
• Set appropriate Referrer-Policy headers on your server: Control which information is included in the Referrer header.