Kahless - 6:05 am on Jan 31, 2010 (gmt 0)

The URL is checked for validity and if it requires query string keys they are checked for validity.
If a key shows up that is not used I 404 it and if it is used but has bad data I send a 400 "bad request.

I however tested sending a bogus query string key to a valid page on a few of the most popular web sites on the internet and they still accept the request as http 200.

I am therefore thinking maybe I need to be less restrictive -- allow bogus keys in the URL and not redirect like they do. This since if your top websites are handling it that way maybe there is some good reason I am not aware of. (maybe some search engines that I see sending bogus keys in my logs)

Maybe I am just over thinking security measures and this is a non-issue. I always worry I am not doing enough or am I doing too much when it comes to security.