Information Disclosure - Sensitive Information in HTTP Referrer Header

The HTTP header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

When sensitive parameters are included in URLs, the browser automatically sends them via the Referer header to any third-party resources loaded on the page or external sites linked from the page. An attacker who controls or compromises these third-party domains can harvest session tokens, authentication credentials, or private identifiers from server logs. This leakage occurs passively without user awareness and can expose data to analytics providers, advertising networks, or malicious sites.

Do not pass sensitive information in URIs.