0

Sometimes I will want to pass in an identifier to my website through the url, but I don't want to display this to the user. Is there a simple way to take in a request param but not display it to the user when loading the page?

This is a general idea of how my code is set up currently

@GetMapping("/somePage")
public ModelAndView get(@RequestHeader HttpHeaders headers,
                        @RequestParam(value = "someId", required = false) String someId) {

I know I could theoretically do this on the javascript side, but that seems to require the page to reload or mess with the history.

JR3652
  • 435
  • 1
  • 4
  • 13
  • 1
    Either redirect user to another url without this parameter (you could store the parameter value in request attributes for example) or do this with javascript history api. Overall sounds like a bad idea. What if your user hits F5 - they would get another response. – ILya Cyclone Feb 01 '19 at 21:45
  • You could put the "hidden" value in a custom header. – Andreas Feb 01 '19 at 22:41

1 Answers1

1

Generally this is bad practice - if it's passed in the URL, it'll be visible in the user's browser history. POST is probably the best practice here.

But to answer your actual question:

Put your custom value into a header and redirect?

Something along these lines (untested)

headers.set("X-Custom-Header1", someId);
headers.set("Location", "/newEndpoint");
return new ResponseEntity<>(headers, HttpStatus.FOUND);
Simon Poole
  • 493
  • 1
  • 6
  • 15
  • This works well for my use case. Why is it bad practice exactly? Just curious – JR3652 Feb 02 '19 at 16:26
  • @JR3652 passing stuff in the URL is almost always going to be visible with minimum effort - even with a workaround like this isn't not suitable for sensitive data. – Simon Poole Feb 04 '19 at 16:25