This is a duplicate of this ticket (with some more information) which did not have a resolution and was closed: Auth0 adding personally identifiable information to redirect URL
We are using the Auth0 hosted password reset page and after a successfult password reset the user is being redirected back to our sign-in page:
See: Dashboard -> Emails -> Templates -> Redirect To
The redirect url generated by Auth0 included PII (personally identifiable information) in the form of the users email and a message:
This information ends up in Google Analytics and is a violation of the TOS:
It also just a bad idea to include a user’s email in a plain URL and a message which can be hijacked into making the user believe something else.
How can we prevent the redirect URL from containing the user’s email and message? Is there anyway to send these parmeters as part of a request body using the POST action rather than a GET. This is coming as part of an internal security audit from one of our clients