Is it possible to put the client id and client secret in headers instead of query params?

[src-kearney]

Sending client ID and client secret in the URL as query params is less secure than putting them in headers.

The querystring is encrypted with SSL, but URLs are stored in server logs which can be a security vulnerability.

Source: https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl