diff --git a/Packs/Security/src/Recon/Tools/IpinfoClient.ts b/Packs/Security/src/Recon/Tools/IpinfoClient.ts
index 36fd633d1b..e34cbd2055 100755
--- a/Packs/Security/src/Recon/Tools/IpinfoClient.ts
+++ b/Packs/Security/src/Recon/Tools/IpinfoClient.ts
@@ -83,10 +83,14 @@ export class IPInfoClient {
     // Rate limiting
     await this.rateLimit();
 
-    const url = `${this.baseUrl}/${ip}/json?token=${this.apiKey}`;
+    // Send the token via Authorization header, not the URL query string
+    // (URL params leak into proxy/server logs).
+    const url = `${this.baseUrl}/${ip}/json`;
 
     try {
-      const response = await fetch(url);
+      const response = await fetch(url, {
+        headers: { Authorization: `Bearer ${this.apiKey}` },
+      });
 
       if (!response.ok) {
         if (response.status === 429) {
@@ -135,13 +139,14 @@ export class IPInfoClient {
     // Rate limiting
     await this.rateLimit();
 
-    const url = `${this.baseUrl}/batch?token=${this.apiKey}`;
+    const url = `${this.baseUrl}/batch`;
 
     try {
       const response = await fetch(url, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
+          Authorization: `Bearer ${this.apiKey}`,
         },
         body: JSON.stringify(uncachedIPs),
       });
diff --git a/Packs/Security/src/Recon/Tools/SubdomainEnum.ts b/Packs/Security/src/Recon/Tools/SubdomainEnum.ts
index bfe0723895..ec6730c09c 100755
--- a/Packs/Security/src/Recon/Tools/SubdomainEnum.ts
+++ b/Packs/Security/src/Recon/Tools/SubdomainEnum.ts
@@ -47,7 +47,9 @@ async function runChaos(domain: string): Promise<string[]> {
     return [];
   }
   try {
-    const result = await $`chaos -key ${key} -d ${domain} -silent`.text();
+    // chaos reads PDCP_API_KEY from the environment; passing -key would expose
+    // the credential in the process argument list (visible via ps/proc).
+    const result = await $`chaos -d ${domain} -silent`.env({ ...process.env, PDCP_API_KEY: key }).text();
     return result.trim().split("\n").filter(Boolean);
   } catch {
     console.error("[chaos] Failed");
diff --git a/Packs/Security/src/WebAssessment/WebappScripts/with_server.py b/Packs/Security/src/WebAssessment/WebappScripts/with_server.py
index 431f2eba16..9d9ad65c4b 100755
--- a/Packs/Security/src/WebAssessment/WebappScripts/with_server.py
+++ b/Packs/Security/src/WebAssessment/WebappScripts/with_server.py
@@ -65,10 +65,13 @@ def main():
         for i, server in enumerate(servers):
             print(f"Starting server {i+1}/{len(servers)}: {server['cmd']}")
 
-            # Use shell=True to support commands with cd and &&
+            # shell=True is intentional: this is a local developer helper and `server['cmd']`
+            # is the operator's own --server argument (needs cd/&& support). The command is
+            # already operator-controlled at the same trust level as the shell invoking this
+            # script, so there is no privilege boundary to cross. Do NOT pass untrusted input here.
             process = subprocess.Popen(
                 server['cmd'],
-                shell=True,
+                shell=True,  # nosec B602 - operator-supplied local command, see note above
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE
             )