Is it okay that a website displays the csrf_token as a URL parameter? I have a feeling that I shouldn't be able to see it, but I am no quite sure. If someone can clear this up a bit, I would be grateful!
No, It's not acceptable.
Passing tokens in URLs isn't normally an acceptable solution. Actually it's in some cases considered a vulnerability.
What if the Website not running under HTTPS?
What if it's running under HTTPS but HSTS isn't enabled on the server? Then SSL-Stripping techniques would be possible and other MITM attacks.
Even if it's running under HTTPS and HSTS is enabled that won't solve the issue.
The token could be exposed in:
For more information refer to: