Sending sensitive data as a query string parameter

Question

We are reviewing the design of a system. And need to verify what we think may be a security issue.

In this system some sensitive information is sent in the query string. Question is:

• Can the query string parameters be read as the request goes over the internet, even if the request is sent over https?
• Can the query string parameters be read be read from the browsing history on the client machines?

Answer 1

When you use HTTPS, the SSL/TLS connection is established before any HTTP traffic is sent, thus the whole request (including the URL and its parameters) will be encrypted and won't be readable. The only thing that's possibly visible by a third party is the server certificate (so they could see the host name, but that's it).

The browser's history isn't protected in any way by HTTPS as such, although some browsers may have some "safe browsing" options which would delete some HTTPS URLs automatically perhaps. This one ultimately really depends on the browser and its configuration.