Is it safe to pass access token as query param? #79
Comments
|
i have the same question |
|
Passing an access token as a query parameter is generally not recommended from a security standpoint. URL Visibility: Query parameters are often visible in browser history, server logs, and can be easily copied from the URL. This means that if someone gains access to a user's browser history or a server log, they could potentially obtain the access token, which can be used maliciously. Caching: Some web browsers and caching mechanisms may cache URLs, including query parameters. If an access token is included in a URL, it could be cached on the user's device or intermediary caching servers, making it accessible even after the user logs out or the token expires. |
|
Sidenote, when using SSE using standard approach like: You have no possibility to add any headers (i.e. Authorization header with Bearer token, JWT). |
|
User-agent storing Any form of tokens is not a good practice according to this article One of the approaches is to use a BFF server along with session cookies with the User-Agent. |
spring-boot-react-oauth2-social-login-demo/spring-social/src/main/java/com/example/springsocial/security/oauth2/OAuth2AuthenticationSuccessHandler.java
Line 66 in 1b77669
In the above link, an access token is generated and passed back to user-agent (browser) as query param. Is there a security risk for transferring access token in plain text URL?
The text was updated successfully, but these errors were encountered: