Leakage of sensitive data in HTTP GET parameters

• Rule ID: ruby_lang_http_get_params
• Languages: ruby
• Source: http_get_params.yml

Description

Sensitive data should never be sent as part of the query string in HTTP GET requests. This rule checks if sensitive data types are sent as GET parameters.

Remediations

Avoid sending sensitive data though HTTP GET parameters since they are passed in plain text even while using HTTPS communication:

❌ Avoid code like this:

HTTParty.get(
  'https://secure-api.com/user',
  {
    email: user.email
  }
)

✅ Instead, use the HTTP POST method if you need to send data:

HTTParty.post(
  'https://secure-api.com/user',
  body: {
    email: user.email,
  }
)

✅ Or keep using HTTP Get but avoid using sending sensitive data:

HTTParty.GET(
  'https://secure-api.com/user',
  {
    id: user.uuid
  }
)