Description
The frontend sends the session token as a query parameter when requesting /api/jobs, e.g. /api/jobs?token=<JWT>
Authentication already relies on the Clerk session / authorization headers, so including the token in the URL appears unnecessary.
Impact
Tokens in URLs may be logged by servers, proxies, analytics tools, or stored in browser history, which can expose sensitive credentials.
Scope
Observed only on /api/jobs requests. Other endpoints (e.g., /profile, /stats) do not include the token in the query string.
Suggested Fix
Remove the token query parameter and rely on the existing authenticated request mechanism.
Description
The frontend sends the session token as a query parameter when requesting
/api/jobs, e.g./api/jobs?token=<JWT>Authentication already relies on the Clerk session / authorization headers, so including the token in the URL appears unnecessary.
Impact
Tokens in URLs may be logged by servers, proxies, analytics tools, or stored in browser history, which can expose sensitive credentials.
Scope
Observed only on
/api/jobsrequests. Other endpoints (e.g.,/profile,/stats) do not include the token in the query string.Suggested Fix
Remove the
tokenquery parameter and rely on the existing authenticated request mechanism.