Basically… A query param is like ?id=100. So https://rakka.tk/book?id=5&chapter=1 has two query params. And the significance is that it’s in the URL. So when the server sees it, if the URL is logged, it’ll contain all of that. URLs are pretty much always logged. So now you have auth tokens (effectively passwords) in logs, which are rarely encrypted or protected, since logs aren’t meant to contain sensitive information.

  • southerntofu
    link
    fedilink
    arrow-up
    1
    ·
    3 years ago

    And that’s why we use POST requests for authenticated queries :)