We are using the open fire 4.0.2 as chat server. Open fire provides following url to consume the chat data for a user but our as a part of url it accepts username in url.
https://localhost:8080/http-bind/?jid=siadmin_000000000000001
In this URL the following sensitive information was found: username . our security team has raised the issue that Information in the URL may be be stored in various locations such as web server logs, browser history, bookmarks, the referer header, or even search engine results and increases the risk of disclosure to an attacker. Can you support sending the username in the request body instead of URL. Please let us know if we can do it or when there is any plan to fix it