481

Do querystring parameters get encrypted in HTTPS when sent with a request?

Improve this question
1

4 Answers 4

Reset to default
568

Yes. The querystring is also encrypted with SSL. Nevertheless, as this article shows, it isn't a good idea to put sensitive information in the URL. For example:

URLs are stored in web server logs - typically the whole URL of each request is stored in a server log. This means that any sensitive data in the URL (e.g. a password) is being saved in clear text on the server

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

So that does mean that, when DigitalOcean, Google or others ask you to put your API key in the query parameter, anyone who can have a read-only access to the logs can forge your ID? Say if anyone at Loggly leaks any info, lots of services would be compromised?
The API key is a short-lived token, typically valid for either one hour or one month (for oauth and similar services) - but if there were a breach of that magnitude, they'd just invalidate ALL outstanding tokens. Everyone has to re-authenticate, using their (presumably) still secure passwords.
Putting sensitive data is not really a problem if the data are disposable (e.g. a one-time token)
@MatthieuCharbonnier that's a bold statement. Can you give me access to your bank for 30 minutes?
@EralpB No, and i think you have misunderstood my statement. But I can give you my confirmation code which i've already used and is now obsolete and useless.
|
156

remember, SSL/TLS operates at the Transport Layer, so all the crypto goo happens under the application-layer HTTP stuff.

http://en.wikipedia.org/wiki/File:IP_stack_connections.svg

that's the long way of saying, "Yes!"

Improve this answer

Comments

72

The entire transmission, including the query string, the whole URL, and even the type of request (GET, POST, etc.) is encrypted when using HTTPS.

Improve this answer

5 Comments

Careful! Even if the whole URL is encrypted, the host name can be seen during the initial SSL handshake just before the encrypted transmission!
@MatthieuCharbonnier is it valid for post body and headers too?
@Must.Tek I know it's a late reply but for anybody reading this later on: No, Post Body and Headers are fully encrypted and they cannot be seen during the initial SSL/TLS handshake. That's why usually Authorization are passed as Headers (Bearer token etc.) in HTTPS connections.
These responses are misleading. Yes, the hostname is sent during the initial handshake, but only the hostname, which does NOT include GET parameters.
The lesson being: don't store passwords in the hostname.
5

I disagree with the advice given here - even the reference for the accepted answer concludes:

You can of course use query string parameters with HTTPS, but don’t use them for anything that could present a security problem. For example, you could safely use them to identity part numbers or types of display like ‘accountview’ or ‘printpage’, but don’t use them for passwords, credit card numbers or other pieces of information that should not be publicly available.

So, no they aren't really safe...!

Improve this answer

1 Comment

All of the answers agree on how safe they are, and the question wasn't about whether they're "safe". It was whether GET parameters are encrypted in HTTPS. Which is answered, along with caveats that you quote. I don't know what your answer is trying to add here in relation to the question, as it's vague and derivative.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.