API - Workfront External Page Authentication

Workfront allows you to pass variables into the url of an external page: ? ID = { ! ID } & session = { ! $$SESSION } I'm embedding a custom page (node.js Express server) made with data from the Workfront API and using the SessionID from the url to authenticate the API requests. I have some concerns on the best practices around this approach. I imagine exposing the sessionID in the url like this is a security concern. There's a few different approaches I have in mind for managing this, but I was wondering if anyone else has some experience on how they handle it in a "Workfront way" Connor Butters