I am creating a secure web based API that uses HTTPS; however, if I allow the users to configure it (include sending password) using a query string will this also be secure or should I force it to be done via a POST?
Is an HTTPS query string secure
httpsquery-stringssl
Related Question
- Https URL with token parameter : how secure is it
- C# – Could not establish trust relationship for SSL/TLS secure channel — SOAP
- The maximum possible length of a query string
- Javascript – How to get query string values in JavaScript
- Javascript – Query-string encoding of a Javascript Object
- Node.js – How to get GET (query string) variables in Express.js on Node.js
- Node.js – Enabling HTTPS on express.js
Best Solution
Yes, it is. But using GET for sensitive data is a bad idea for several reasons:
Therefore, even though Querystring is secured it's not recommended to transfer sensitive data over querystring.
[1] Although I need to note that RFC states that browser should not send referrers from HTTPS to HTTP. But that doesn't mean a bad 3rd party browser toolbar or an external image/flash from an HTTPS site won't leak it.