We need to remove the email being passed in the query parameter when the user submits the password reset form. I’ve followed the instructions in this link:
However, even though the PATCH request to management API goes through, successfully changing the flag to false, we can still observe the email in the redirect link which looks like:
Our app is failing an important security assessment due to plainly visible email (considered PII) in the URL. As we’ve changed the flag as per the other thread and it’s not working, please suggest other steps.
We’re using classic universal login with custom Password Reset page for reference.