avoid-sensitive-query-params

v1.38.0

effort: 6m

pro+

Warns when a URL query string contains sensitive data.

URL query string could be saved in the browser's history, passed through Referers, stored in logs, or recorded in other sources. Try passing this data via the request headers instead.

Example

❌ Bad:

void fn() {
  // LINT: URL query string could be saved in the browser's history, passed through Referers, stored in logs, or recorded in other sources.
  //  Try passing this data via the request headers.
  Uri.https('api.example.com', '', {'token': 'hello'});

  // LINT: URL query string could be saved in the browser's history, passed through Referers, stored in logs, or recorded in other sources.
  //  Try passing this data via the request headers.
  final hardcoded = 'https://api.example.com/user?token=test';
}

✅ Good:

// Use another approach for passing sensitive data (for example, request headers or body)

Additional Resources

CWE-598: Use of HTTP Request With Sensitive Query String

Example​

Additional Resources​

Example

Additional Resources