Hi
I was wondering if it is possible to prevent a user’s email address being sent in the querystring in the url where the user gets redirected to, after a success password reset. eg:
/password-reset/index.html?email=an-email-address@email.com&success=true&message=You can now login to the application with the new password.
A security review highlighted this as a (minor) issue, where the email address would show up in google analytics, web server logs and referrer headers
Thanks,
Vince
Hey there @streetsupport, I’m working to find you an answer for this. I will keep you posted in what I find. Thanks!
After confirming with our support team @streetsupport it isn’t currently possible to prevent an end user’s email address from being sent as a part of the querystring in the url when they get redirected. However, if you like I can submit this as a feature request at Auth0: Secure access for everyone. But not just anyone.. Thanks!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.