Basically… A query param is like ?id=100. So https://rakka.tk/book?id=5&chapter=1 has two query params. And the significance is that it’s in the URL. So when the server sees it, if the URL is logged, it’ll contain all of that. URLs are pretty much always logged. So now you have auth tokens (effectively passwords) in logs, which are rarely encrypted or protected, since logs aren’t meant to contain sensitive information.