Don't send along email as plain text in query paramater

We’re seeing plain-text email-addresses in query parameters of callback-urls, for example when a user has verified its email or changed its password. These email-addresses will end up in our logs, which we can’t do a lot about, and we don’t need them either. Could these be (optionally) removed please? It could potentially be a privacy risk.

:wave: @jasperh you’re right in that that does not sound correct. We never put user credentials (email with the password) in the query string on the URL because, as you said, it would be a serious security issue. Ive seen this happen before when custom UIs (instead of Lock), is used with some incorrectly written HTML. Can you provide a bit more details into your current setup? I will need to look into this.

We are using Lock on hosted pages, so that we can style them. What would you like to know about our setup besides that? Also, could you elaborate on what could be wrong in our HTML here? I’d like to share actual code examples, but I don’t think our client would like that. Would it be possible to get some private support or anything like that?

Hello @jasperh, I’m sorry for the delay in response. It appears there’s a support case related to this same question so to keep from duplicating efforts I’ll let our inhouse team continue to take lead on this front. However if there are any questions in the future please feel free to ping us here again at Community we’d be happy to help! Thanks!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.