Clarification on REST API url parameters and passing secrets

Hello all, looking for some clarification of a problem that my team has run into this past week regarding a Resource we have configured to our REST API that we pass in the secrets in the URL parameters.

Currently if you would go look at the request body of one of these calls, you would see the –sanitized– key words at the beginning, but the values would still be visible, meaning you would see the keys we are passing.

Have we just gotten the pattern in correct? In the docs, I did notice this

Retool sanitizes any headers with keys that contain authorization, key, or password.

Is this not true for URL parameters? or do we have to use Headers instead?

Hello @Kevin_Eslick,

Yes, Retool does sanitize headers with any of those keywords.

Retool does not sanitize URL params. Even if we did, this is bad practice as there are a number of other layers where these would be exposed (URLs are logged by servers, URLs are cached by proxies, URLs can show up in monitoring tools, URLs are stored in browser history).

I would definitely recommend moving secrets to the query headers.

Is there a specific reason for needing to configure secrets in the URL for your use case?