Security Question: Sensitive information in URL
Article Number: 000017123 | Last Modified: 2018/06/12
Sensitive information within URLs may be logged in various locations, including
the user's browser, the web server, and any forward or reverse proxy servers
between the two endpoints. URLs may also be displayed on-screen,
bookmarked or emailed around by users. They may be disclosed to third parties
via the Referer header when any off-site links are followed. Placing session
tokens into the URL increases the risk that they will be captured by an attacker.
The URL in the request appears to contain a session token within the query
It has been observed that sensitive information like session identifier and csrf token are passing through GET request.
The session id identified in the GET request is not used to track or identify an authenticated user. It is instead used to keep track of selections done within an app. The sensitivity of this information is seen by Qlik as low.