将敏感数据作为查询字符串参数发送 [英] Sending sensitive data as a query string parameter

问题描述

我们正在审查系统的设计。并且需要验证我们认为可能是安全问题。

We are reviewing the design of a system. And need to verify what we think may be a security issue.

在此系统中，一些敏感信息将在查询字符串中发送。问题是：

In this system some sensitive information is sent in the query string. Question is:

• 查询字符串参数可以在请求通过互联网时读取，即使请求是通过https发送的吗？ / li>
  
• 是否可以从客户端计算机上的浏览历史记录中读取查询字符串参数？

推荐答案

使用HTTPS时，在发送任何HTTP流量之前建立SSL / TLS连接，因此整个请求（包括URL及其参数）将被加密，不会可读。第三方可能唯一可见的是服务器证书（因此他们可以看到主机名，但就是这样）。

When you use HTTPS, the SSL/TLS connection is established before any HTTP traffic is sent, thus the whole request (including the URL and its parameters) will be encrypted and won't be readable. The only thing that's possibly visible by a third party is the server certificate (so they could see the host name, but that's it).

浏览器的历史记录不受保护尽管某些浏览器可能有一些安全浏览选项，可能会自动删除某些HTTPS URL。这个最终取决于浏览器及其配置。

The browser's history isn't protected in any way by HTTPS as such, although some browsers may have some "safe browsing" options which would delete some HTTPS URLs automatically perhaps. This one ultimately really depends on the browser and its configuration.

这篇关于将敏感数据作为查询字符串参数发送的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！