Skip to main content

is there any security advantage of hiding url parameters? [Resolved]

I am building a web app that needs to be secure. My question is: Is there any security advantage of hiding route parameters? And if so I am using angular(don't know if this is important but there is no harm adding it.).

What I mean by hiding url paramters is instead of having a url the reads

https//yourApp/user/

to have one that reads

https//yourApp/user

but behind the scenes you are processing the request using the user id.


Question Credit: YulePale
Question Reference
Asked July 24, 2019
Posted Under: Security
49 views
1 Answers

Is there any security advantage of hiding route parameters

Yes, if they contain anything potentially sensitive.

If you pass information as URL params, either in the query string (?key=value) or as part of the path (/someValue) then these are cached in various places in the browser and host machine.

Most restful services expect you to pass some form of identifier in the URL however you must consider the impact should that identifier be exposed.

For example imagine you have an endpoint that accepts username as a url param (domain.com/users/username) and your username can also be an email address. You essentially expose the users email address for that service to place you do not control (browser history etc).

You need to make the call on how sensitive each data point is and decide if you are happy exposing it (weight up risk).

General rule for me is, if that information can be used to leverage anything over the user or as a stepping stone to expose further info, don't expose it in the URL.


credit: Trickycm
Answered July 24, 2019
Your Answer