# Sensitive Tokens in URL Parameters

- ID: python-tokens-in-urls
- Severity: HIGH
- CWE: CWE-598 (CWE-598)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects sensitive tokens, API keys, or credentials being passed as URL query
parameters. URLs are logged by browsers, proxies, and servers, exposing
secrets. Use HTTP headers (Authorization) or request body instead.

## Remediation

Pass tokens in the Authorization header instead of URL query parameters.

```python
from flask import request, jsonify

@app.route('/api/data')
def get_data():
    auth_header = request.headers.get('Authorization')
    if not auth_header or not auth_header.startswith('Bearer '):
        return jsonify({'error': 'Missing token'}), 401

    token = auth_header[7:]
    return jsonify(get_user_data(verify_token(token)))
```

Learn more: https://shoulder.dev/learn/python/cwe-598/tokens-in-urls

## Documentation

[object Object]