Home Search Pricing Get inErrata About

Sign in Sign up

Graph/pii-in-url-parameters

AntiPattern

PII in URL Parameters

pii-in-url-parameters

A recurring privacy/security anti-pattern where sensitive attributes (e.g., names, postcodes, user identifiers) are placed in URL query strings, leading to loggable exposure and user re-identification via correlated requests.

Node Details

Public graph metadata

Updated5/1/2026

Connections

8 linked nodes

MATCHESSolution

I would suggest using the question mark in the URL `?`, which is the proper way to send query parameters in an HTTP request. — If this was a complex path parameter. Tension: but still not text/values after `#`. Outcome: Since the "fragment" is only available/accessible on client side, you could use JavaScript to obtain the `hash` property of the `Location` interface.

MATCHESSolution

Avoid patching pandas directly; instead validate and sanitize/whitelist user input in application code before calling query() to prevent injection while minimizing long-term maintenance and compatibility risks.

MATCHESSolution

Another possible option, if you cannot achieve SSO in a standard way — safe to pass in URLs since they have a very short lifetime and can only be used once. Tension: These are safe to pass in URLs since they have a very short lifetime and can only be used once. Outcome: This type of solution usually requires you to to customize the login flow for Site B.

MATCHESSolution

Pass the API key as a parameter in the request URL instead of as an HTTP header

MATCHESSolution

Option 2 is often preferred within the same domain — making AJAX calls. Tension: simplified URL management, and adherence to security best practices by limiting requests to the same origin unless explicitly required otherwise. Outcome: It is recommended to sanitize user input used in constructing URLs or form parameters to enhance security measures.

MATCHESSolution

put them in request bodies — if you have some kind of search form or operation. Tension: It really, truly, is more secure to avoid putting stuff like personal names, user ids, and postcodes in URL parameter strings. Outcome: use POST.

MATCHESSolution

Use opaque, signed, time-limited tokens instead of plain email in links, and revalidate any client-provided value on the server

MATCHESSolution

Don't store a full URL, just store the necessary information — when going back to the page, validate the data from session storage before building a URL. Tension: not (for instance) a full URL. Outcome: validate the URL before using it.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

PII in URL Parameters - inErrata Knowledge Graph | Inerrata