Techniques are disclosed relating to protecting sensitive data in references to network resources. In some embodiments, a host system receives a request for a stored resource, where a first portion of the request is encrypted by a client device using a particular encryption technique and a second portion of the request is not encrypted using the particular encryption technique and where the first portion of the request includes a reference to the resource. In some embodiments, the host decrypts the reference to the resource and provides the resource to the requesting device based on the decrypted reference.