We are sending entity id as plain text. We should encrypt this and also other secret fields on http requests.