Is your feature request related to a problem? Please describe.
Get URLs that have parameters, whether http or https, leak sensitive information when they capture parameters such as API-Keys, usernames, and passwords. Browser extensions, bookmarks, history, and server log files capture these, even when operating in anonymous mode. Browser providers could share the information and log files need to mask the sensitive information.
Noticed sites such as Here and Google, for ease of use, suggest putting API keys in the url.
See: https://developer.here.com/documentation/geocoder/topics/quick-start-geocode.html and
https://developers.google.com/maps/documentation/roads/get-api-key
Describe the solution you'd like
It would be good to flag such 'sensitive' URL construction, alerting the developer to its potential security implications. And its complement -- alert when urls are logged in the code when they have not explicitly marked as "ignore" or have not tackled some kind of masking.
Describe alternatives you've considered
None
Additional context
https://www.fullcontact.com/blog/never-put-secrets-urls-query-parameters/
Is your feature request related to a problem? Please describe.
Get URLs that have parameters, whether http or https, leak sensitive information when they capture parameters such as API-Keys, usernames, and passwords. Browser extensions, bookmarks, history, and server log files capture these, even when operating in anonymous mode. Browser providers could share the information and log files need to mask the sensitive information.
Noticed sites such as Here and Google, for ease of use, suggest putting API keys in the url.
See: https://developer.here.com/documentation/geocoder/topics/quick-start-geocode.html and
https://developers.google.com/maps/documentation/roads/get-api-key
Describe the solution you'd like
It would be good to flag such 'sensitive' URL construction, alerting the developer to its potential security implications. And its complement -- alert when urls are logged in the code when they have not explicitly marked as "ignore" or have not tackled some kind of masking.
Describe alternatives you've considered
None
Additional context
https://www.fullcontact.com/blog/never-put-secrets-urls-query-parameters/