Is it okay that a payment app is sending my payment details via a GET request?



  • I was trying to use a state-owned mobile payment app to conduct some transaction on the internet and, thanks to an error message, I found out that my card number and the amount I'm paying were sent via a GET request.

    Other data on the request: the name of the service and an HMAC. And, yes, it's on HTTPS but I don't believe this really helps if the data is in URL.

    Is this secure? Shouldn't such details be sent over a POST or a PUT request? I'm not a security expert so maybe I'm missing something here.



  • HTTPS protects the entire web request, which includes the url path and parameters. So the data being in the url doesn't make it any less securely transmitted. Only the domain name is exposed via SNI.

    GET requests are avoided when transmitting sensitive information in web apps because the url containing sensitive information may be exposed in the user's browsing history (which may have misled you into thinking urls themselves were insecure). However, this is obviously a concern with web apps only. Since this scenario is a mobile app, you are fine from a security point of view.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2