Auth0 Home Blog Docs

Don't send along email as plain text in query paramater


We’re seeing plain-text email-addresses in query parameters of callback-urls, for example when a user has verified its email or changed its password. These email-addresses will end up in our logs, which we can’t do a lot about, and we don’t need them either. Could these be (optionally) removed please? It could potentially be a privacy risk.


:wave: @jasperh you’re right in that that does not sound correct. We never put user credentials (email with the password) in the query string on the URL because, as you said, it would be a serious security issue. Ive seen this happen before when custom UIs (instead of Lock), is used with some incorrectly written HTML. Can you provide a bit more details into your current setup? I will need to look into this.


We are using Lock on hosted pages, so that we can style them. What would you like to know about our setup besides that? Also, could you elaborate on what could be wrong in our HTML here? I’d like to share actual code examples, but I don’t think our client would like that. Would it be possible to get some private support or anything like that?