Difference between revisions of "Query strings and security"
(Created page with "Mibbit supports a large set of options for the [Widget], most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is ne...") |
|||
| Line 1: | Line 1: | ||
| − | Mibbit supports a large set of options for the [Widget], most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is never a good idea. Even using SSL (https://) the data in query strings is at risk at several points along the way from web browser to server. | + | Mibbit supports a large set of options for the [[Widget]], most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is never a good idea. Even using SSL (https://) the data in query strings is at risk at several points along the way from web browser to server. |
So would it ever be a good idea to send a password data as a query string? It's a common question and our answer is always in the negative. There are several reasons for this; | So would it ever be a good idea to send a password data as a query string? It's a common question and our answer is always in the negative. There are several reasons for this; | ||
| − | * password data would be stored in weblogs | + | * password data would be stored in weblogs |
| − | |||
| − | * data | + | * data may be stored in browser histories |
| − | |||
* http:// referrer gets sent the referring URL, including the whole query string | * http:// referrer gets sent the referring URL, including the whole query string | ||
| − | |||
So in short it's just not a great idea, it might be workable for some uses, but not for passwords. | So in short it's just not a great idea, it might be workable for some uses, but not for passwords. | ||
Latest revision as of 12:32, 12 November 2013
Mibbit supports a large set of options for the Widget, most are allowed inside the URL. But it's commonly understood that passing sensitive information over query strings is never a good idea. Even using SSL (https://) the data in query strings is at risk at several points along the way from web browser to server.
So would it ever be a good idea to send a password data as a query string? It's a common question and our answer is always in the negative. There are several reasons for this;
- password data would be stored in weblogs
- data may be stored in browser histories
- http:// referrer gets sent the referring URL, including the whole query string
So in short it's just not a great idea, it might be workable for some uses, but not for passwords.
