SAP Knowledge Base Article - Public

3161405 - Signavio-id should be removed from URL


Passing sensitive information in URL is against recommended security best practices. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referrer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.


This is a known limitation that has been reported to our Product Managers. If you would like to be notified on the status, please create a ticket in the SAP Support Launchpad and reference the ticket number: SPM-9362

There's a partial fix for restricting access to private URLs in our software which denies every access besides embedding. A support engineer should be able to enable the feature package called "deprecatePurl" for this tenant and all of its users to disable general access and creation of those links. Be aware that links might break due to this change and will no longer be accessible via authkey. There you can remove the authKey from the URL and login in as usually.


KBA , BPI-SIG-HUB , SAP Signavio Process Collaboration Hub , Product Enhancement


SAP Process Collaboration Hub by Signavio all versions