Sensitive information — session tokens, passwords, personal data — passed as URL query parameters ends up logged in browser history, server access logs, and analytics tools, and gets sent to any third party your page loads via the Referer header when a visitor clicks an outbound link.
Tokens, API keys, and passwords passed as ?token=... in a URL end up in browser history, server logs, and any analytics tool watching page views — all in plain text, all outside your control.
No passwords or long-lived session tokens appear directly in URLs; any necessary short-lived tokens are single-use and protected by a no-referrer policy.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →