Picto thématique

Rule n° 27 - Sensitive data is not transmitted unencrypted through URLs.

Personal data can be transmitted and intercepted through the Url. Addresses of the type http//domain.com/index.html?password=rabbit are to be avoided. They are indeed easy to find on the Internet or in audience statistics.

#Personal information #Development


  • Prevent sensitive data from being made public or stored Unencrypted at any stage in accessing a page (ISP, proxy, web Server, browser history, third-party services, etc.).
  • Allow users to enter sensitive data, safe in the knowledge that They will be protected and kept confidential.


Submit sensitive form data by the POST

method. Do not include sensitive data in the link URL.


During operations on the website such as logging in to an account, entering personal data, purchasing, etc., check that none of the data entered appears unencrypted in the URL via the following three checks:

  • Check that identification does not lead to a page with typelogin.php?user=something@password=123;
  • Also check that the pages do not contain links containing this type of information. In fact a link of this type can be made: http://user:pass@example.com/ or ftp://user:pass@example.com/. This is obviously very strongly discouraged and should be banned.
  • Also check that the session id is not passed in the URL, resulting in URLs like page.php?SESSIONID=123abc456def. Anyone retrieving this identifier, including by reading over the user's shoulder, would have access to their account.

It is important to carry out these tests by activating and deactivating the cookies of the browser, certain tools (frameworks, CMS) having the annoying habit of transmitting the information unencrypted in the second case.

By Opquast - Read the license

Discover Opquast training and certification

The objective of these rules and the Opquast community mission is ‘making the web better’ for your customers and for everyone! Opquast rules cover the key major areas of risk that can negatively affect website users such as privacy, ecodesign, accessibility and security.

Opquast training has already allowed over 14,500 web professionals to have their skills certified. Train your teams or your students, contact us