---
title: Route calls external APIs insecurely
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Route calls external APIs insecurely
---

# Route calls external APIs insecurely
 
## Description{% #description %}

An API endpoint includes secrets such as API keys, tokens, or credentials in the URL when calling external APIs. Embedding secrets in URLs is particularly dangerous because URLs are commonly logged by web servers, proxies, and intermediaries, and visible in referrer headers. This significantly increases the risk of credential exposure compared to passing secrets in request headers or bodies.

## Rationale{% #rationale %}

This finding works by identifying an API route that includes secrets or API keys in the URL of requests made to external APIs.

## Remediation{% #remediation %}

- Pass secrets in request headers (e.g., `Authorization` header) instead of URL query parameters
- Ensure all external API calls transmitting credentials are made over HTTPS
- Rotate any API keys that may have been exposed in URLs
- Use a secrets manager to control and audit credential usage

### References{% #references %}

| Reference                                                                                                                         | Description                                                       |
| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| [OWASP API10:2023 - Unsafe Consumption of APIs](https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/) | OWASP API Security guidance on safely consuming third-party APIs. |