Information Disclosure - Sensitive Information in URL

The request appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

URLs containing sensitive information are logged in multiple locations including browser history, proxy logs, web server access logs, and third-party analytics systems. An attacker with access to any of these logs can extract authentication tokens, passwords, credit card numbers, or personal identifiers. URLs are also visible in shoulder-surfing scenarios, shared links, and bookmarks, creating multiple avenues for unintentional disclosure that persist long after the original request.

Do not pass sensitive information in URIs. Use POST request bodies or secure cookies with HttpOnly and Secure flags for transmitting sensitive data. For session management, implement server-side session storage with opaque session identifiers rather than embedding tokens or credentials in URLs. If query parameters are necessary for non-sensitive data, ensure strict input validation and consider implementing referrer policy headers to limit information leakage.