•  29-08-2022
  •  | 
  •  

Question

Is it safe to use e-mail addresses inside URLs? I mean lets say a web-application has a registered user "Bob" and Bob has been registered by using his email => Bob@hisemail.com. Now what's your opinion, is it safe for the application to accept and work with GET requests on //application.com/Bob@hisemail.com and the same kind of URLs for every user?

Was it helpful?

Solution

Basically it depends on if you love or hate your users. When you do what you suggest, these URLs will spread on HTML pages on the web. Not necessarily confined to your own site, because people may link to it.

When your page gains enough traction to become important, crawler authors for spam bots will notice and add rules to their crawlers to extract the email address from URLs. It might even not be necessary, because some dumb regexes might already find the email without adaption.

Then, your users' email addresses will land on spammers' lists and get "unwanted adverts", euphemistically speaking. (These email lists will be rather high-valued, too, because they are "verified" to be real, existing ones.)

What you're doing here is giving away a private bit of identification your users trusted you with. Never ever allow that to be in public, unless your users told you so!

From a technical perspective, you can just go for it.

OTHER TIPS

I think that this is not a good idea. Firstly, email contains special chars that needs to be URL encoded so they don't get mixed up with system characters (for example, for FTP servers you can pass username like this ftp://user:pass@test.com).

Also, I would not like it from user perspective as in this case my e-mail would stay in browsers history.

In this case, the email address can be used with request parameter as GET Method, e.g:

// application.com/file_name?email=Bob@hisemail.com

This option is more safety and probably used.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top