Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Develop a feature for whitlisting query string keys.
Keys present in $_GET but not whitelisted should be removed by a redirect.
This will probably only work for basic sites (eg whitelist "page" only). Modules such as ApacheSolr use unpredictable querystring keys. Views also produces querystring keys from exposed filters.