Insecure URLs that leak api-keys, usernames, and passwords #443
Comments
|
Good idea, I like it Do you plan to work on this @mkbhanda ? |
|
Happy New Year Luke! Am afraid I cannot get to it for another 3 weeks, but if someone has not knocked it off by Feb, will jump on it.
Sincerely,
Malini
|
|
No need to have it right away @mkbhanda - I have assigned to you and if any problems, just comment or unassign yourself. thanks in advance for your contribution(s). |
|
Hey, sorry for possibly wrong ping, but @ericwb, do you mind if I take this issue? It seems to be long forgotten, and I feel like even the basic form of secret detection is useful. |
|
@knyazer Sounds great! Thanks for your help. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Get URLs that have parameters, whether http or https, leak sensitive information when they capture parameters such as API-Keys, usernames, and passwords. Browser extensions, bookmarks, history, and server log files capture these, even when operating in anonymous mode. Browser providers could share the information and log files need to mask the sensitive information.
Noticed sites such as Here and Google, for ease of use, suggest putting API keys in the url.
See: https://developer.here.com/documentation/geocoder/topics/quick-start-geocode.html and
https://developers.google.com/maps/documentation/roads/get-api-key
Describe the solution you'd like
It would be good to flag such 'sensitive' URL construction, alerting the developer to its potential security implications. And its complement -- alert when urls are logged in the code when they have not explicitly marked as "ignore" or have not tackled some kind of masking.
Describe alternatives you've considered
None
Additional context
https://www.fullcontact.com/blog/never-put-secrets-urls-query-parameters/
The text was updated successfully, but these errors were encountered: