Query String Encryption using HTTP Module : ASP.NET Security

Most of times we tend to pass information between different web pages in the application with the help of query string. However query string offers direct visibility to the end user about the parameters your page might be expecting. If some one modifies your query string and pass the information to the page , it could become a potential security threat.


There are lot of ways you can normally encrypt your query string. But most of them don't help you in encrypting your query parameter. They only encrypt your values. However if someone tries with different algorithms, it could again lead to a security breach unless you did some very good exception handling.


If you encrypt your query string, everytime you want to access in your values, you have to decode it and access it. If you had already written some code, there is a great impact that you will have to adapt your code after the implementation. What if there is a way where you display in encrypted format to the user but for the code its still the same ?

What I mean is :

The user sees this


while your code sees

ID=123&Query=select and accesses it through Request.querystring["ID"]....

How to encrypt your query string in ASP.NET with the help of HTTP Module ?

Before we dive in, let me explain you what this HTTP module is !!

HTTP modules are one among the series of extensible objects that could be initiated by ASP.NET runtime to process a request. They are filters that can pre and post-process requests as they pass through the HTTP pipeline Many of the services provided in ASP.NET are exposed as HTTP modules esp the ones related to security.

So How do we use HTTP module for encrypting and decrypting query strings ?

Download the source code for the file here.

The source file in the above link contains the code for encryption and decryption of the query string.

How to use it ?

  • Include the file in your project and change the namespace accordingly.
  • Once you included the file in your project, please add the following tag to your Web.config in your section.

    <add name="EncryptDecryptModule" type=" Technade.Web.Core.Application.EncryptDecrypt"/> httpModules>
  • Make sure that you included correct type in the above line.
Thats it.. You are done . Now all the query string in your application will be automatically encrypted. Sometimes you may want to enable/disable query string encryption manually. The source code in the file does have the provision of enabling and disabiling query string encryption.

You will find the following line in the source code.

// Encrypt the query string and redirects to the encrypted URL.
// Remove if you don't want all query strings to be encrypted automatically.

string encryptedQuery = Encrypt(query);

Remove the line and the query strings will not be automatically encrypted. Instead you will have to call everytime manually as below whenever you want .

string querystring = EncryptDecrypt.Encrypt( "ID=123&query=select" );

But the decryption is automatic as it always checks for the encryption key that is appended before the query string in the code. So if the encryption key exists ,it will decrypt or else it will let it remain as it is. The file has been documented to a good extent. So it should not be too difficult for you to understand how it works.

Love ASP.NET tips ? For more Subscribe here or click here to get updates via email


Works as designed but urls are exposed in asp:hyperlinks and asp:imagebutton etc.

I have changed the file as:

//namespace Technade.Web.Core.Application
public class EncryptDecrypt : IHttpModule

I have added the file in APP_CODE and had added the following line in web.config:

However this does not work.

Please help!

Did you use encrypt and decrypt function in your code ?

works for me! but this does not work when the postback event happens, do you have an idea on how to solve this??

my code works fine in local server but when deployed to the server it doesnt show the encrypted value..rather displays the actual value..how can i solve this problem

Could not load type ' Technade.Web.Core.Application.EncryptDecrypt'. (C:\Users\nk\CDSL\web.config line 73)
what i did mistake.

Could not load type ' Technade.Web.Core.Application.EncryptDecrypt'. (C:\Users\nk\CDSL\web.config line 73)
what i did mistake.
my web.config is

Nhan sam la mot trong nhung loai thao duoc tu nhien, co mat o rat nhieu quoc gia tren the gioi nhu Nhat Ban, Han Quoc, Hoa Ki... Trong cac loai gia hong sam han quoc ke tren thi nhan sam han quoc luon duoc hang trieu nguoi tren khap the gioi san lung va tim kiem boi nhung gia tri tuyet voi.

nuoc hong sam là một trong những loại thảo dược tự nhiên, có mặt ở rất nhiều quốc gia trên thế giới như Nhật Bản nước hồng sâm, Hàn Quốc, Hoa Kì... Trong các loại nhân sâm kể trên thì nhân sâm hàn quốc luôn được hàng triệu người trên khắp nước hồng sâm hàn quốc thế giới săn lùng và tìm kiếm bởi những giá trị tuyệt vời. Từ xưa đến nay những nuoc hong sam han quoc công dụng của loại nhân sâm này vẫn được mọi người lưu truyền và ứng dụng vào trong đời sống đặc biệt là chăm sóc sức khỏe của con người nước sâm hàn quốc. Củ nhân sâm Hàn Quốc chính là nhân sâm Hàn Quốc ở dạng tươi chưa qua sơ chế thành các sản phẩm. nuoc sam han quoc có những vai trò và tác dụng vô cùng to lớn đối với con người.

Post a Comment