- Context: Cloud / Both
- Category: Secret Leakage / Interception
- Severity: 🟠 High
Evidence
Multiple API routes accept the OAuth Bearer token as a URL query parameter:
// components/map/country-conflicts-modal.tsx
url.searchParams.set("accessToken", accessToken);
// components/search/entity-search.tsx
url.searchParams.set("accessToken", accessToken);These URLs are then requested by the browser, resulting in request lines such as:
GET /api/entities?name=Hezbollah&accessToken=ey...long_token...&stream=true HTTP/1.1
GET /api/countries/conflicts?country=Iran&accessToken=ey...long_token... HTTP/1.1
Token exposure surfaces:
| Surface |
Visibility |
| CDN / reverse proxy access logs (nginx, Cloudflare, AWS ALB) |
✅ Logged by default |
| Next.js server-side request logging |
✅ Logged |
| Browser history |
✅ URL stored |
Referer header on cross-origin sub-requests |
✅ Token leaked to third parties |
| Browser dev-tools Network tab (accessible to extensions) |
✅ Visible |
| APM/tracing tools (Datadog, Sentry, New Relic) |
✅ Captured in trace spans |
Standard practice: Bearer tokens must be transmitted exclusively in the Authorization HTTP header, which is stripped from logs by default.
Affected files: components/map/country-conflicts-modal.tsx, components/search/entity-search.tsx, app/api/entities/route.ts, app/api/countries/conflicts/route.ts, app/api/deepresearch/[taskId]/route.ts
Evidence
Multiple API routes accept the OAuth Bearer token as a URL query parameter:
These URLs are then requested by the browser, resulting in request lines such as:
Token exposure surfaces:
Refererheader on cross-origin sub-requestsStandard practice: Bearer tokens must be transmitted exclusively in the
AuthorizationHTTP header, which is stripped from logs by default.Affected files:
components/map/country-conflicts-modal.tsx,components/search/entity-search.tsx,app/api/entities/route.ts,app/api/countries/conflicts/route.ts,app/api/deepresearch/[taskId]/route.ts