ssl - Is an HTTPS query string secure?

Question

I am creating a secure web based API that uses HTTPS; however, if I allow the users to configure it (include sending password) using a query string will this also be secure or should I force it to be done via a POST?

Answer 1

Yes, it is. But using GET for sensitive data is a bad idea for several reasons:

• Mostly HTTP referrer leakage (an external image in the target page might leak the password[1])
• Password will be stored in server logs (which is obviously bad)
• History caches in browsers

Therefore, even though Querystring is secured it's not recommended to transfer sensitive data over querystring.

[1] Although I need to note that RFC states that browser should not send referrers from HTTPS to HTTP. But that doesn't mean a bad 3rd party browser toolbar or an external image/flash from an HTTPS site won't leak it.