1

From a security standpoint, is it OK to pass a two-factor code via query strings on a GET request?

Let’s say I have a protected resource that I want to fetch. The user is logged in and has 2FA enabled. Since I want to only fetch a resource I would use the HTTP GET method.

But since the spec does ”not allow” a request body for GET requests, how would I securely pass the 2FA token from Google Authenticator or similar? Would it be considered secure to pass the 6-digit code in the URL as a query string?

GET https://example.com/api/my-resource?code=123456

Or would I have to change the endpoint to POST just for the sake of 2FA?

Daniel Hallgren
  • 497
  • 7
  • 12
  • 2
    Why not put it in a header? – Evert Oct 29 '20 at 21:16
  • @Evert As a custom header, like `X-TwoFactor-Token: 123456`? Or maybe append it to the ```Authorization``` header, separating it from the Bearer token with a comma `,`? – Daniel Hallgren Oct 29 '20 at 21:21
  • 2
    sure! Either of those sound decent. – Evert Oct 29 '20 at 21:28
  • i'm facing the same situation. my fear is that this opens up the possibility of XSRF attacks. i think it's better to use the parameter to only prefill the form, to avoid carrying out any action for a GET request – symbiont Mar 09 '22 at 09:37

0 Answers0