Got it, let's tackle this problem. Since you can't hide those query params using a simple URL tag, here are several solid alternative solutions to keep your invoice number and date out of the visible URL:

1. Use POST Requests Instead of GET #

The most straightforward fix is to move the invno and invdt parameters from the URL query string into the body of a POST request. This way, the sensitive data never appears in the browser's address bar or server logs (assuming logs are configured to exclude POST bodies).

For example, you could use an HTML form to trigger the POST:

<form action="http://abcxyz/GetDocument" method="POST">
  <input type="hidden" name="DocumentClass" value="INV">
  <input type="hidden" name="invno" value="098765546">
  <input type="hidden" name="invdt" value="11/01/2016">
  <button type="submit">View Invoice</button>
</form>

Or if you're working with JavaScript, use fetch or axios to send the POST request programmatically. Note: You'll need to ensure the target server accepts POST requests for the GetDocument endpoint. If it only supports GET, you'll need a middle layer to forward the request.

2. Build a Backend Proxy/Middleman #

Set up your own backend service that acts as a go-between for the user and the PDF provider. Here's how it works:

• The user requests a URL like your-domain.com/get-invoice/unique-invoice-key (no sensitive params visible)
• Your backend decrypts or looks up the unique-invoice-key to retrieve invno and invdt
• Your backend makes the request to http://abcxyz/GetDocument with the full parameters
• The backend returns the PDF directly to the user

This approach gives you full control over access, lets you add auth checks, and completely hides the original sensitive parameters from end users.

3. Encrypt Query Parameters (If GET Is Mandatory) #

If you absolutely have to use GET requests, encrypt the sensitive parameters into a single, opaque token. Instead of passing invno and invdt separately, combine and encrypt them into a single parameter like token=xyz123abc.

For example:

• Frontend takes invno=098765546 and invdt=11/01/2016, encrypts them using a secure algorithm (like AES) with a secret key
• The request becomes http://abcxyz/GetDocument?DocumentClass=INV&token=encrypted-string
• The target server decrypts the token to extract the original parameters

Just make sure to use a strong encryption method and keep your secret key secure (never expose it to the client).

4. Store Parameters in a Session #

If you're already managing user sessions, store invno and invdt in the user's server-side session or an HttpOnly cookie before accessing the PDF. Then, when the user visits http://abcxyz/GetDocument?DocumentClass=INV, the server pulls the parameters from the session instead of the URL.

This keeps the URL clean, but you'll need to handle session expiration and edge cases like users opening multiple tabs (to avoid mixing up invoice data).

Each of these approaches has its own trade-offs—POST is simple if the server supports it, a proxy gives you maximum control, encrypted params work for GET-only scenarios, and sessions are good if you're already managing user sessions. Pick the one that fits your tech stack and security needs best.

内容的提问来源于stack exchange，提问作者Adarsh Singh