Home / Tools / Remove sensitive data from URL query parameters
Content & Files · Scan Check Guide

Remove sensitive data from URL query parameters

30 min Impact: medium Effort: medium ✓ Scan-verified — no manual checkbox

Sensitive information — session tokens, passwords, personal data — passed as URL query parameters ends up logged in browser history, server access logs, and analytics tools, and gets sent to any third party your page loads via the Referer header when a visitor clicks an outbound link.

Tokens, API keys, and passwords passed as ?token=... in a URL end up in browser history, server logs, and any analytics tool watching page views — all in plain text, all outside your control.

How to fix it

  1. 1
    Audit your URLs for sensitive parameters
    Look for anything like ?token=, ?password=, ?ssn=, ?email= in your site's actual URLs — check password reset links and any account-related flows specifically.
  2. 2
    Move sensitive data out of the URL
    Use POST request bodies, HTTP-only cookies, or short-lived server-side session references instead of putting the sensitive value directly in the URL.
  3. 3
    For one-time-use tokens (like password resets) that must be in a URL
    Make them single-use and short-lived, and set Referrer-Policy: no-referrer specifically on that page so the token doesn't leak via the Referer header if the user clicks an outbound link.

Common mistakes

How you'll know it's done

No passwords or long-lived session tokens appear directly in URLs; any necessary short-lived tokens are single-use and protected by a no-referrer policy.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →