Leakage of sensitive data in HTTP request


Sending sensitive data through URLs in HTTP requests exposes it to unnecessary risks. This method of data transmission can lead to the data being captured by intermediaries or being logged by servers, posing a significant privacy and security risk.


  • Do not include sensitive data in the URL path. This makes the information visible in server logs and to anyone who might intercept the URL.
    $curl = curl_init("https://example.com/users/{$user->email}"); // unsafe
  • Do not append sensitive data as query parameters in URLs. Similar to paths, query parameters are also vulnerable to interception and logging.
    $query = http_build_query(['email' => $user->email]); // unsafe
    $curl = curl_init("https://example.com/users?$query");
  • Do use the HTTP POST method to send sensitive data within the body of the request. This method is more secure as the data is not exposed in the URL.
    $query = http_build_query(['email' => $user->email]);
    $curl = curl_init("https://example.com/users/list");
    curl_setopt($curl, CURLOPT_POSTFIELDS, $query);
  • Do not send sensitive data if it's not necessary. If you must send identifying information, use less sensitive data that doesn't compromise user privacy or security.
$query = http_build_query(['uuid' => $user->uuid]);
$curl = curl_init("https://example.com/users?$query");


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_http_url_using_sensitive_data

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_http_url_using_sensitive_data