问题
We are reviewing the design of a system. And need to verify what we think may be a security issue.
In this system some sensitive information is sent in the query string. Question is:
- Can the query string parameters be read as the request goes over the internet, even if the request is sent over https?
- Can the query string parameters be read be read from the browsing history on the client machines?
回答1:
When you use HTTPS, the SSL/TLS connection is established before any HTTP traffic is sent, thus the whole request (including the URL and its parameters) will be encrypted and won't be readable. The only thing that's possibly visible by a third party is the server certificate (so they could see the host name, but that's it).
The browser's history isn't protected in any way by HTTPS as such, although some browsers may have some "safe browsing" options which would delete some HTTPS URLs automatically perhaps. This one ultimately really depends on the browser and its configuration.
回答2:
This is certainly a security issue if sensitive details are being passed in get request. Sensitive data will not only get cached in the user's browser but also in any proxy on d way and plus in webserver logs
回答3:
Yes for the first. Not sure about the second - depends on the browser, I guess - but I suspect, Yes, here as well.
来源:https://stackoverflow.com/questions/3837989/sending-sensitive-data-as-a-query-string-parameter