<div>
Can't you pass as headers? Can you add an encrypt/decrypt function?
</div>

<div>
You HTTPS + the all data is encrypted over the wire. 
 
To hide the Query String. You can't. The Query String is either there or not. 
 
There can be no hiding of Query Strings, only encrypting so one one can read them off the wire.
</div>

<div>
I once saw someone encrypting the url on the browser.
</div>

<div>
<blockquote>
I once saw someone encrypting the url on the browser. 
</blockquote>
Won't be encrypted anywhere else if it was only done client side
</div>

<div>
We use https. I am not worried about that. 
We just don't want the parameters showing on the URL
</div>

<div>
<blockquote>
We use https. I am not worried about that.
</blockquote>
Still visible in web server, proxy and any analytic logs
</div>

<div>
Anything everything that is sent in a browser request including POST requests is visible by some method. &nbsp;POST data does not show in the URL but you can't make a link that is a POST request. 
 
Consider using encrypted data in cookies as Identification. &nbsp;Cookies are returned to the server with every request.
</div>

<div>
<blockquote>
Anything everything that is sent in a browser request including POST requests is visible by some method. &nbsp;POST data does not show in the URL but you can't make a link that is a POST request. 
 
Consider using encrypted data in cookies as Identification. &nbsp;Cookies are returned to the server with every request. 
</blockquote>
Yes, as part of the HTTP header as per my first comment
</div>

<div>
The best &nbsp;&amp; only way to hide query strings, is by not using them. 
If POST request bother you, then cookies (or other headerfields) can be useful.
</div>

<div>
You could encrypt the values that you have in your querystring. But you'd need to take care to encrypt them every time you send that data back from a particular page, and you certainly wouldn't want anything client-side doing the encryption.
</div>

Fixer of Problems

Dave Baldwin

Chief Technology Ninja

Chinmay Patel

<div>
I guess the best option is to use post instead of a querystring. I see some net applications that never show anything on the URL. I don't know how the accomplish that, but it is what we were hoping to do as well.
</div>

<div>
You asked, &quot;I don't know how the accomplish that, but it is what we were hoping to do as well.&quot; 
 
Read carefully through Shaun's + noci's comments. 
 
You'll convert your query string to a cookie + then pass the cookie through Apache headers as part of your session management.
</div>

<div>
You can encrypt and decrypt the query string. This is extremely handy if you are passing query strings between pages using redirects etc.. This sample does use a redirect if the Request[&quot;querystring&quot;] field is empty. If it is empty it encrypts the word case1 and passes it back to this page via a redirect. 
 
If passing query strings between pages as in this example always check your input as this example does. These fields will be human editable etc.. I use switch to process the incoming query strings in this example. 
 
exptest.aspx 

<pre><code class="code-10 nolinks" id="code-20-42843353-1">&lt;%@ Page Language=&quot;C#&quot; %&gt;
&lt;%@ Import Namespace=&quot;System.Security.Cryptography&quot; %&gt; 

&lt;%
//exptest.aspx


String decryptstr = &quot;&quot;;

 if(!string.IsNullOrEmpty(Request[&quot;querystring&quot;])){
if(!CharCheck(Request[&quot;querystring&quot;])){decryptstr = &quot;&quot;;}
else{decryptstr = Decrypt(Request[&quot;querystring&quot;], true, &quot;cypherkey&quot;);}
}

switch (decryptstr){
case &quot;case1&quot;:%&gt;
Case1 reply
&lt;% break;
case &quot;case2&quot;:%&gt;
Case2 reply
&lt;% break;
}


if(string.IsNullOrEmpty(Request[&quot;querystring&quot;])){
Response.Redirect(&quot;exptest.aspx?querystring=&quot; + Encrypt(&quot;case1&quot;, true, &quot;cypherkey&quot;));
}

%&gt;
&lt;script runat=&quot;server&quot;&gt;


 bool CharCheck(string fieldt)
 {
 if((fieldt == &quot;&quot;) || (fieldt == null)){return false;}
 String pattern = @&quot;^([a-zA-Z0-9-\-=]+)$&quot;;
 Regex check = new Regex(pattern);
 if (check.IsMatch(fieldt, 0) == true) { return true; }
 else { return false; }
 }

 public static string Encrypt(string toEncrypt, bool useHashing, string passkey)
 {
 byte[] keyArray;
 byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);
 string key = passkey;
 if (useHashing)
 {
 MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
 keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(key));
 hashmd5.Clear();
 }
 else 
 keyArray = UTF8Encoding.UTF8.GetBytes(key);
 TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
 tdes.Key = keyArray;
 tdes.Mode = CipherMode.ECB;
 tdes.Padding = PaddingMode.PKCS7;
 ICryptoTransform cTransform = tdes.CreateEncryptor();
 byte[] resultArray =
 cTransform.TransformFinalBlock(toEncryptArray, 0,
 toEncryptArray.Length);
 tdes.Clear();
 return Convert.ToBase64String(resultArray, 0, resultArray.Length);
 }

 
 public static string Decrypt(string cipherString, bool useHashing, string passkey)
 {
 byte[] keyArray;
 byte[] toEncryptArray = Convert.FromBase64String(cipherString);
 string key = passkey;
 if (useHashing)
 {
 MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
 keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(key));
 hashmd5.Clear();
 }
 else
 {
 keyArray = UTF8Encoding.UTF8.GetBytes(key);
 }

 TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
 tdes.Key = keyArray;
 tdes.Mode = CipherMode.ECB;
 tdes.Padding = PaddingMode.PKCS7;
 ICryptoTransform cTransform = tdes.CreateDecryptor();
 byte[] resultArray = cTransform.TransformFinalBlock(
 toEncryptArray, 0, toEncryptArray.Length);
 tdes.Clear();
 return UTF8Encoding.UTF8.GetString(resultArray);
 }

&lt;/script&gt;
</code></pre>
</div>

<div>
You can POST to the server. From the link call a JavaScript JQuery function that would trigger a POST back to the server via AJAX and then on onSuccess of the AJAX function you can resume processing.
</div>

<div>
I am not sure which method was use, but the developers I have were able to find a way to encrypt the URL.
</div>

<div>
Keep in mind, you should always be using HTTPS + if you are using HTTPS, there's no encryption you can add which will provide better encryption than HTTPS. 
 
Best to use HTTPS + keep your query strings simple.
</div>

<div>
If you're using HTTPS, then your query string is already encrypted to anyone not making the request. 
 
For people making the request, they can still see the query string + use the query string, independent of any encryption. 
 
So HTTPS is all that's required.
</div>

<div>
<div class="content wysiwyg-content">
We are developing a NetCore application. &nbsp;It uses query strings in several places to pass IDs. 
What is the best way to hide the querystrings on the browser. I know there is some way of encrypting the whole URL so the parameters are not visible. Can this be done with an IIS setting or third party software?
</div>
</div>

We are developing a NetCore application.  It uses query strings in several places to pass IDs. 
What is the best way to hide the querystrings on the browser. I know there is some way of encrypting the whole URL so the parameters are not visible. Can this be done with an IIS setting or third party software?

Encrypt querystring

The successor to Active Server Pages, ASP.NET websites utilize the .NET framework to produce dynamic, data and content-driven web applications and services. ASP.NET code can be written using any .NET supported language. As of 2009, ASP.NET can also apply the Model-View-Controller (MVC) pattern to web applications

ASP.NET

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.