top | item 46974365 (no title) l72 | 20 days ago The fact that most of these are capturing query parameters: "u": "https://www.google.com/search?q=target", indicates that are capturing tons of authentication tokens. So this goes way beyond just spying on your browser history. discuss order hn newest cess11|20 days ago If a service is sending auth tokens as URL parameters, stop using it. Those are always public. dangets|19 days ago I don't disagree with the advice (especially for long lived tokens), but query parameters are encrypted during transit with https. You still need to worry about server access logs, browser history, etc that might expose the full request url. karel-3d|19 days ago huh? https encrypts URL parameters?
cess11|20 days ago If a service is sending auth tokens as URL parameters, stop using it. Those are always public. dangets|19 days ago I don't disagree with the advice (especially for long lived tokens), but query parameters are encrypted during transit with https. You still need to worry about server access logs, browser history, etc that might expose the full request url. karel-3d|19 days ago huh? https encrypts URL parameters?
dangets|19 days ago I don't disagree with the advice (especially for long lived tokens), but query parameters are encrypted during transit with https. You still need to worry about server access logs, browser history, etc that might expose the full request url.
cess11|20 days ago
dangets|19 days ago
karel-3d|19 days ago