Use of HTTP Request Method With Sensitive Query Strings

PY007

sensitive_query_strings

CWE-598

⛔️ Error

---

The inclusion of sensitive information, such as a username, password, or API key, directly within a URL is considered a security risk because URLs can be logged in various places, such as web server logs, browser history, and network monitoring tools, making the sensitive information vulnerable to unauthorized access.

Example

import http.client


host = "example.com"
conn = http.client.HTTPSConnection(host)
conn.request("GET", "/path?apiKey=value&otherParam=123", headers={})
response = conn.getresponse()

Remediation

To avoid this vulnerability, put sensitive information in the request as headers, rather than a parameter of the URL.

import http.client


host = "example.com"
headers = {
    "X-FullContact-APIKey": "value"
}
conn = http.client.HTTPSConnection(host)
conn.request("GET", "/path?otherParam=123", headers=headers)
response = conn.getresponse()

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY007) or rule category name (sensitive_query_strings).

Using rule ID

fix

import http.client


host = "example.com"
conn = http.client.HTTPSConnection(host)
# suppress: PY007
conn.request("GET", "/path?apiKey=value&otherParam=123", headers={})
response = conn.getresponse()

Using category name

fix

import http.client


host = "example.com"
conn = http.client.HTTPSConnection(host)
# suppress: sensitive_query_strings
conn.request("GET", "/path?apiKey=value&otherParam=123", headers={})
response = conn.getresponse()

See also

info

• http.client — HTTP protocol client
• CWE-598: Use of GET Request Method With Sensitive Query Strings
• Never Put Secrets in URLs and Query Parameters