Intent-Code Divergence
Medium
- Confidence
- 97% confidence
- Finding
- The report claims safe token handling, but the documented access pattern embeds the gateway token in the page URL query string. Query parameters are routinely exposed via browser history, bookmarks, screenshots, reverse proxies, referrer leaks, and server/access logs, so this is a real credential exposure risk even if the application itself does not explicitly print the token.
