Sensitive data detected in HTTP URL.

Description

Sensitive data should never be sent as part of the URL in HTTP requests.

Remediations

Avoid sending sensitive data in a URL as they can be seen by intermediaries, or could be logged by applications:

❌ Avoid adding sensitive data in paths:

$curl = curl_init("https://example.com/users/{$user->email}");

❌ Avoid adding sensitive data in query parameters:

$query = http_build_query(['email' => $user->email]);
$curl = curl_init("https://example.com/users?$query");

✅ Use an HTTP POST body if you need to send sensitive data:

$query = http_build_query(['email' => $user->email]);
$curl = curl_init("https://example.com/users/list");
curl_setopt($curl, CURLOPT_POSTFIELDS, $query);

✅ Or avoid sending sending sensitive data altogether:

$query = http_build_query(['uuid' => $user->uuid]);
$curl = curl_init("https://example.com/users?$query");