Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

query: mention security aspects of moving query component into body #1895

Closed
reschke opened this issue Jan 20, 2022 · 7 comments
Closed

query: mention security aspects of moving query component into body #1895

reschke opened this issue Jan 20, 2022 · 7 comments
Assignees
@reschke
Labels
editorial query-method

Comments

@reschke
Copy link
Contributor

reschke commented Jan 20, 2022

David Slik (https://lists.w3.org/Archives/Public/ietf-http-wg/2022JanMar/0081.html):

Moving query parameters from the request URI to the request body improves overall security, given that the request URI is often cached, stored, logged and otherwise potentially disclosed by intermediary systems. As a result, if PII or other sensitive information is included in the query section of an URI, it is at a higher risk when compared to when it is included in the request body.

A description of this advantage may be worth including.
@reschke reschke self-assigned this Jan 20, 2022
ioggstream added a commit that referenced this issue Oct 5, 2022
@ioggstream
Fix: #1895. Mention security advantages.
4dab225
@ioggstream ioggstream mentioned this issue Oct 5, 2022
Merged
@candoumbe
Copy link

The security advantage mentioned here could also be viewed as a debug/development drawback because the server most of the time logs urls to have some insights on what was requested by the 'client'.

@asbjornu
Copy link

asbjornu commented Nov 3, 2022

Related to the discussion in #1909. I agree with @candoumbe that if any advice is given, some pros and cons of both alternatives should probably be enumerated.

@reschke
Copy link
Contributor Author

reschke commented Oct 17, 2024

Security frequently comes with a lack convenience; here not having the query logged is part of why we are doing this.

That said, if you want to propose text, please go ahead.

ioggstream added a commit that referenced this issue Oct 18, 2024
@ioggstream
See #1895. Don't limit to query parameters. Mention intermediaries.
3e011a1
reschke pushed a commit that referenced this issue Nov 13, 2024
@ioggstream @reschke
See #1895. Don't limit to query parameters. Mention intermediaries.
acb6562
reschke added a commit that referenced this issue Nov 13, 2024
@reschke
query: change log for #1895
ad768f8
reschke added a commit that referenced this issue Nov 13, 2024
@reschke
query: change log for #1895
b87c399
@reschke reschke changed the title safe-method-w-body: mention security aspects of moving query component into body query: mention security aspects of moving query component into body Nov 17, 2024
@mnot
Copy link
Member

mnot commented Jan 21, 2025

Just my .02 - I'd be wary of making claims about security that are based just on implementation practice (e.g., what logs expose and don't).

@reschke
Copy link
Contributor Author

reschke commented Jan 21, 2025

Ok, let's close this.

@reschke reschke closed this as completed Jan 21, 2025
@MikeBishop
Copy link
Contributor

I'm curious; we already merged #2259 which contains this text. Is that okay, or do we want a separate issue to remove that text?

@reschke
Copy link
Contributor Author

reschke commented Jan 27, 2025

Good point. Did we forget to close the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reschke reschke

Labels
editorial query-method
Milestone
No milestone
Development

No branches or pull requests
5 participants
@asbjornu @mnot @reschke @MikeBishop @candoumbe