Y
Hacker News
new
|
ask
|
show
|
jobs
by
cess11
132 days ago
If a service is sending auth tokens as URL parameters, stop using it. Those are always public.
2 comments
dangets
132 days ago
I don't disagree with the advice (especially for long lived tokens), but query parameters are encrypted during transit with https. You still need to worry about server access logs, browser history, etc that might expose the full request url.
link
karel-3d
132 days ago
huh? https encrypts URL parameters?
link