Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.esperr.com/llms.txt

Use this file to discover all available pages before exploring further.

What are Query Parameters?

Query parameters are key-value pairs that appear after the ? in a URL. They send additional data to the server without being part of the main path.
MDN Web DocsRead more on URL query parameters.

Understanding Query Parameter Structure

https://shop.com/products?category=shoes&size=10&color=black
                          └─────────query parameters─────────┘
Breaking this down:
  • category = shoes
  • size = 10
  • color = black

Common Query Parameter Uses

Search & Filtering

  • ?q=search+term - Search queries
  • ?sort=price - Sorting options
  • ?filter=available - Filtering results
  • ?page=2 - Pagination

Tracking & Analytics

  • ?utm_source=email - Marketing attribution
  • ?ref=homepage - Referral tracking
  • ?session=abc123 - Session tracking

API Parameters

  • ?api_key=xxx - Authentication (not recommended!)
  • ?format=json - Response format
  • ?limit=100 - Result limits
  • ?fields=id,name - Field selection

Application Control

  • ?debug=true - Debug mode (dangerous in production!)
  • ?redirect=/dashboard - Post-login redirects
  • ?action=delete - Action specification

Using Query Parameters in Policies

Basic Examples

Block debug parameters in production: 
Field Type: Query Parameter
Field Reference: debug
Operator: is present
Action: Block
Monitor high-value searches: 
Field Type: Query Parameter
Field Reference: price_min
Operator: greater than
Value: 1000
Action: Monitor

Advanced Patterns

Detect SQL injection attempts: 
Field Type: Query Parameter
Field Reference: q
Operator: contains
Value: SELECT
OR
Value: DROP
OR
Value: UNION
Action: Block
Rate limit search API: 
Field Type: Request Path
Operator: equals
Value: /api/search
AND
Field Type: Query Parameter
Field Reference: q
Operator: is present
Window: 1 minute
Threshold: 30
Action: Challenge
Security AlertNever put sensitive data like passwords or API keys in query parameters - they appear in logs, browser history, and can be leaked through referrer headers!

Query Parameter Operators

OperatorUse CaseExample
equalsExact value matchaction=delete
containsSubstring matchsearch contains “script”
starts withPrefix matchref starts with “partner_“
is presentParameter existsdebug is present
is not presentParameter missingapi_key is not present
greater thanNumeric comparisonlimit > 1000
matches regexPattern matchingmatches ^[0-9]+$

Security Considerations

Dangerous Query Parameters

ParameterRiskWhat to Do
debug=trueExposes sensitive infoBlock in production
admin=1Privilege escalationBlock unless authorized
redirect=Open redirect attacksValidate destinations
file=Path traversalSanitize file paths
sql=Direct SQL executionBlock immediately

Common Attack Patterns

Open Redirect Detection: 
Field Type: Query Parameter
Field Reference: redirect
Operator: starts with
Value: http
Action: Block # Only allow relative redirects
Path Traversal Prevention: 
Field Type: Query Parameter
Field Reference: file
Operator: contains
Value: ../
Action: Block

Best Practices

DO:

  • Validate parameter values - Check for expected formats and ranges
  • Monitor unusual parameters - Unknown parameters might indicate probing
  • Limit parameter sizes - Extremely long values can cause issues
  • Encode special characters - Prevent injection attacks
  • Track parameter combinations - Certain combos might indicate attacks

DON’T:

  • Trust user input - Always validate query parameters
  • Expose internal parameters - Hide debug/admin params in production
  • Use for sensitive data - Passwords, tokens shouldn’t be in URLs
  • Ignore encoding - URL encoding can hide malicious content
  • Allow unlimited values - Set reasonable limits

Working with Multiple Parameters

Often you need to check multiple parameters together: 
# Detect unexpected privilege parameters
Field Type: Query Parameter
Field Reference: user_id
Operator: is present
AND
Field Type: Query Parameter
Field Reference: admin
Operator: equals
Value: true
Action: Block

URL Encoding Gotchas

Encoding AwarenessQuery parameters are URL encoded:
  • Space becomes + or %20
  • & becomes %26
  • = becomes %3D
Your policies should account for both encoded and decoded values.

Real-World Scenarios

E-commerce Protection

# Prevent price manipulation
Field Type: Query Parameter
Field Reference: price
Operator: is present
AND
Field Type: Request Path
Operator: equals
Value: /checkout
Action: Block  # Price should come from server

API Rate Limiting

# Different limits for different operations
Field Type: Query Parameter
Field Reference: operation
Operator: equals
Value: bulk_export
Window: 1 hour
Threshold: 5
Action: Block

Search Protection

# Prevent search spam
Field Type: Query Parameter
Field Reference: q
Operator: length greater than
Value: 100
Action: Challenge

Troubleshooting

“My query parameter policy isn’t matching”
  • Check URL encoding (spaces, special chars)
  • Verify parameter name exactly
  • Multiple values might use arrays (tag[]=a&tag[]=b)
  • Some frameworks modify parameter names
“False positives with legitimate traffic”
  • Your pattern might be too broad
  • Consider parameter context (same param, different endpoints)
  • URL encoding might cause unexpected matches
  • Use monitoring before blocking

Integration Examples

With Other Fields

# Only allow debug from internal IPs
Field Type: Query Parameter
Field Reference: debug
Operator: is present
AND
Field Type: Client IP
Operator: not in range
Value: 10.0.0.0/8
Action: Block
  • Request Path - Parameters extend path functionality
  • Headers - Some apps send params in headers too
  • Body Data - POST requests might use body instead
  • Cookies - Session data alternative to URL params