I have a URL that looks like this:
http://localhost:8001/jasperserver&reportUnit=somereport&username=cghan&password=somepasswrd
As you can see, the password is in clear site, along with some other parameters.
What's the best way to secure this?
Set the method of the FORM (in HTML) to POST. That way attributes won't be shown in the URL (they can be retrieved exactly the same way).
Anyway, for anyone with a sniffer, it will make little difference. If it is really important, force the server to use only HTTPS.
Use SSL encryption, i.e. HTTPS. This makes it encrypted for everyone on the internet but it is still readable on the address bar.
It is not recommended to send password parameters through URL, e.g. HTTP POST. You should send password as HTTP POST.
来源:https://stackoverflow.com/questions/5533162/encrypting-parameters-in-urls