Difference between revisions of "Query strings and security"

From Mibbit Wiki
Jump to: navigation, search
(Created page with "Mibbit supports a large set of options for the [Widget], most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is ne...")
 
 
Line 1: Line 1:
Mibbit supports a large set of options for the [Widget], most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is never a good idea. Even using SSL (https://) the data in query strings is at risk at several points along the way from web browser to server.
+
Mibbit supports a large set of options for the [[Widget]], most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is never a good idea. Even using SSL (https://) the data in query strings is at risk at several points along the way from web browser to server.
  
 
So would it ever be a good idea to send a password data as a query string? It's a common question and our answer is always in the negative.  There are several reasons for this;
 
So would it ever be a good idea to send a password data as a query string? It's a common question and our answer is always in the negative.  There are several reasons for this;
  
* password data would be stored in weblogs:
+
* password data would be stored in weblogs
We could encrypt or remove these right?
 
  
* data will be stored in browser histories
+
* data may be stored in browser histories
Only client browser has control of these
 
  
 
* http:// referrer gets sent the referring URL, including the whole query string
 
* http:// referrer gets sent the referring URL, including the whole query string
So someone could pick this up
 
  
 
So in short it's just not a great idea, it might be workable for some uses, but not for passwords.
 
So in short it's just not a great idea, it might be workable for some uses, but not for passwords.

Latest revision as of 12:32, 12 November 2013

Mibbit supports a large set of options for the Widget, most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is never a good idea. Even using SSL (https://) the data in query strings is at risk at several points along the way from web browser to server.

So would it ever be a good idea to send a password data as a query string? It's a common question and our answer is always in the negative. There are several reasons for this;

  • password data would be stored in weblogs
  • data may be stored in browser histories
  • http:// referrer gets sent the referring URL, including the whole query string

So in short it's just not a great idea, it might be workable for some uses, but not for passwords.