Auth in query string

Question

Heroku got interesting blog post:

For security reasons, we will be sunsetting support of auth in query string sooner, which we will announce in the Changelog.

However, no explanation is provided about those reasons. So why auth in query string is considered insecure?

score 2 · Accepted Answer · answered Jun 07 '17 at 13:14

2

The main reason that I'm aware of is that most http servers will log the query string. If the username/password/security token are sent in the query string, these then get stored in the log file, and you increase the potential for exposure.

answered Jun 07 '17 at 13:14

Dan Landberg

3,312
12
17

Do you have an example? – anatoly techtonik Jun 08 '17 at 08:10
1

Not specifically for Heroku, but I know the W3C Extended Log Format (https://www.w3.org/TR/WD-logfile.html) contains the uri-query field. I know IIS logs this by default, and I'd imaging Apache / nginx do the same. – Dan Landberg Jun 08 '17 at 13:52

Auth in query string

1 Answers1