Remove email address in password reset url querystring


I was wondering if it is possible to prevent a user’s email address being sent in the querystring in the url where the user gets redirected to, after a success password reset. eg:

/password-reset/index.html? can now login to the application with the new password.

A security review highlighted this as a (minor) issue, where the email address would show up in google analytics, web server logs and referrer headers



Hey there @streetsupport, I’m working to find you an answer for this. I will keep you posted in what I find. Thanks!

1 Like

After confirming with our support team @streetsupport it isn’t currently possible to prevent an end user’s email address from being sent as a part of the querystring in the url when they get redirected. However, if you like I can submit this as a feature request at Auth0: Secure access for everyone. But not just anyone.. Thanks!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.